Vulnerability Development mailing list archives

Re: distributed.net and seti@home

From: robertw () WOJO COM (Robert Wojciechowski Jr.)
Date: Sat, 29 Jan 2000 17:58:19 -0500


If the clients contact the server, the only way to exploit the clients is to
make the client contact your own server I suppose.

This could be done via changing DNS records manually on a upstream DNS
server, a hacked client, an entry in the hosts file, etc.  The all require
pretty much elevated access to the network (admin status) or the computer,
in which case you don't have to use the distributed clients to hack into the
machine.

I think it is possible in some cases to insert a DNS cache entry into a DNS
server manually, and you can fool all the clients that use that DNS server
to contact your own server.  Then you could send custom packets back to the
client to overflow it, etc.

That's about all I can think about right now.  It's the weekend, and I am
going to be lazy ;)

- Robert

----- Original Message -----
From: Seth R Arnold [SMTP:sarnold () willamette edu]
Sent: Saturday, January 29, 2000, 5:14:58
To:   Robert Wojciechowski Jr.
Cc:   'VULN-DEV () SECURITYFOCUS COM'
Subject:      Re: distributed.net and seti@home

Robert, (and list :) -- with distributed.net and seti@home, I am not so
concerned with open ports -- the client goes to the trouble of downloading
input data all on its own, so an open port would be superfluous. (sp?)

I am thinking more along the lines of a buffer overflow, or
"u17r4-s3cr3t-31337-b@ckd00r", or something like that.

My personal guess is both distributed.net and seti@home are secure enough
for most everyone's purposes. But, that is a guess, and I haven't seen
anyone try to see if there is a way to get either of them to execute code
through malformed (or perfectly-formed :) data downloads. It would make me
feel a lot better if someone out there (whitehat :) would take the trouble
to try to find holes to be exploited -- because I know of a LOT of

machines

that could be compromised in extremely vulnerable positions -- all with

the

blessings of system administrators trying to be politically active or just
hoping to find aliens. :)

Wouldn't it be annoying to wake up one day to find your whole organization
has been 0wned as a result of running rc5 from distributed.net?

I am not saying it would be easy, or even practical, but it might be worth
checking into. :)


Robert S. Wojciechowski Jr.
robertw () wojo com

Current thread:

distributed.net and seti@home Seth R Arnold (Jan 28)
- Re: distributed.net and seti@home Justin Lintz (Jan 28)
- Re: distributed.net and seti@home CyberPsychotic (Jan 30)
- <Possible follow-ups>
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 28)
  - Re: distributed.net and seti@home Seth R Arnold (Jan 29)
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 29)
  - Re: distributed.net and seti@home Blue Boar (Jan 30)
- Re: distributed.net and seti@home Shashi Dookhee (Jan 30)
  - Re: distributed.net and seti@home Matthew Pemble (Jan 30)
  - Re: distributed.net and seti@home hypnos (Jan 30)
  - Oracle liberal world (Jan 30)
- Re: distributed.net and seti@home Bryce Walter (Jan 30)