View Single Post
Old 2003-04-11, 11:20   #4
ET_
Banned
 
ET_'s Avatar
 
"Luigi"
Aug 2002
Team Italia

482510 Posts
Default

Here is the description of the vulnerability related to Seti@home clients and server.

HTH
----------------
Vulnerable versions:
All versions under 3.08

The seti@home clients use the HTTP protocol to download new work units, user information and to register new users. The implementation leaves two security vulnerabilities:

1) All information is sent in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.

Sniffing the information exposed by the seti@home client is trivial and very useful to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packet sniffer to grab the information from the network.

2) There is a buffer overflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.

All tested clients have similar buffer overflows, which allowed setting eip to an arbitrary value which can lead to remote code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, and an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.

3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.

Exploitation of the bug in the server has not been tested. It should be note that a successful exploitation of the bug in the server would offer a platform from which all seti@home clients can be exploited.
-------

Luigi
ET_ is offline   Reply With Quote