Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: distributed.net and seti@home

From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Sat, 29 Jan 2000 02:14:58 -0800

Robert, (and list :) -- with distributed.net and seti@home, I am not so
concerned with open ports -- the client goes to the trouble of downloading
input data all on its own, so an open port would be superfluous. (sp?)

I am thinking more along the lines of a buffer overflow, or
"u17r4-s3cr3t-31337-b@ckd00r", or something like that.

My personal guess is both distributed.net and seti@home are secure enough
for most everyone's purposes. But, that is a guess, and I haven't seen
anyone try to see if there is a way to get either of them to execute code
through malformed (or perfectly-formed :) data downloads. It would make me
feel a lot better if someone out there (whitehat :) would take the trouble
to try to find holes to be exploited -- because I know of a LOT of machines
that could be compromised in extremely vulnerable positions -- all with the
blessings of system administrators trying to be politically active or just
hoping to find aliens. :)

Wouldn't it be annoying to wake up one day to find your whole organization
has been 0wned as a result of running rc5 from distributed.net?

I am not saying it would be easy, or even practical, but it might be worth
checking into. :)

Thanks

On Sat, Jan 29, 2000 at 01:21:09AM -0500, Robert Wojciechowski Jr. wrote:

----- Original Message -----
From:       Seth R Arnold [SMTP:sarnold () WILLAMETTE EDU]
Reply To:   Seth R Arnold [SMTP:sarnold () WILLAMETTE EDU]
Sent:       Friday, January 28, 2000, 21:41:04
To: VULN-DEV () SECURITYFOCUS COM
Subject:    distributed.net and seti@home

Hello.

I have seen many reports of insecurities of ICQ, and while this is A Good
Thing, a program that would likely be in use on more computers is
distributed.net's rc5 (or other) programs, or seti@home's client. They are
often installed by default on server farms, lab machines, as well as
countless home machines.

Has anyone taken a close look at these programs? I sure haven't. It might
be
a good thing to check on... :)

----- End Of Original Message -----


Seth,

I think that programs such as the distributed.net and seti@home clients
don't have open ports, they just contact the servers when they need more
blocks to process, and send blocks to the servers when complete.

I haven't checked myself if there are open ports (someone can find this out
easily by viewing what ports are open on their computer in listen mode), but
I doubt there are.

Anyone care to check?

Robert S. Wojciechowski Jr.
robertw () wojo com


--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!
Previous By Date Next
Previous By Thread Next

Current thread: