Slashdot Mirror
Exploit Found in Seti@Home
Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)
I wonder whether aliens are exploiting this to control us /me screams and runs in fear.
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.i 686-pc-linux-gnu.tar
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.s parc-sun-solaris2.6.tar
Can't seem to find 'em on wcarchive.cdrom.com, the other mirror site -- anyone got a link?
Carousel is a lie!
Something tells me that this exploit is going to lead to a lot more people getting fired than, say, that OpenSSH one a while back.
But I already run a public warez server!
Just a bunch of h4x0rs having fun again? Dang.
the Aliens doing this. Not to worry though. I will use my I-Book to hack into their systems and upload a virus.
I'm sure the Aliens will love it when we try to DoS attack them. That's one way to make friends with a new species. "Oh sorry about that, yeah were a smart world, REALLY!!"
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
If the aliens would be exploiting that, our computers would be full of alien pr0n, which it isn't the case... Right? RIGHT?
I demand the Cone of Silence!
distributed.net in support of Team Slashdot. Let's crack that RC5-72 so that we can move on to RC5-128! Only 657,374 days (~1800 years) left to go!
- There was a potential buffer overrun in the networking code of the client that is fixed with version 3.08. Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge,
- no SETI@home client has ever been attacked in this manner.
Whereas Jamie claims that- an Exploit [sic.] was found in Seti@Home and
- there is code exploiting the hole actually running about in the wild.
Can anybody help clear this up until the linked site get back online?"If you think education is expensive, try ignorance" - Derek Bok
Well, let's see here. I'm going to be reading data from an untrusted source. So, I feel it's safe to assume that this data will be no longer than, oh, let's say 100 characters. Yeah, 100. I mean, who would send more than that. That'd be crazy!
That'd be about as crazy as wasting cycles on checking the length of my input. Or, dynamically allocating buffers. Or, using safe, bounded copy/read instructions. What kind of wacko would do that! Hah!
Justin Dubs
Look! Their site is down! Someone must have used this exploit to launch a Dos on them! Oh wait... damn you slashdot!
Everybody denies I am a genius--but nobody ever called me one!
at least its doing something useful... rather than just pointlessly scanning some random data with no hope of finding anything.
I'm smarter than the average bear.
over here.
"If you think education is expensive, try ignorance" - Derek Bok
running winxp on the spaceship woo -.-
This sig was cut off by the sla
Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
PATCHED VERSION
Are available
BACKGROUND INFORMATION
From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
"The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"
There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.
THE VULNERABILITIES
The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:
1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.
THE TECHNIQUE
1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.
2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.
3) Exploitation of the bug in the server
Live to be Moderated
Are many individuals (on their own machines and not he company hardware) actually running the SETI client? I started it back in 1999 but gave up when I discovered that it took about 24hrs to process one unit on my 366 Toshiba laptop making it rather unlikely that at that rate I would live long enough to find anything. To be honest I had pretty much forgotten about the project altogether.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Can anyone give any practical advice on how to figure out if your own system has been compromised? No, I don't have any tripwires installed :-(
Find free books.
Does anyone know if this exploit effects folding@home clients? I do not know if they use the same engine or if the '@Home' name is the only thing they have in common.
This is in the SETI@home FAQ ( http://setiathome.berkeley.edu/faq.html#q1.9 ), it reads:
Why don't you release the source code?
We decided not to make source code available for security reasons and for science reasons as well. We have to have everyone do the exact same analysis, or we can't have any control over our research and be confident in our results. We were also worried that there may be a few people that want to deliberately try to screw up our database and server.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Good thing the 20 computers I'm running it on aren't even mine!
The coolest voice ever.
Yes, that's a good answer, except that it completely ignores the facts that
1. People have turned in fake results
2. People have deliberately tried to screw up their database and server
3. There are apparently security holes in the client which would have been noticed much sooner if the code was open.
Tarsnap: Online backups for the truly paranoid
Let me think about that for a second.... Ummmm... No.
I just hate the people who go around saying "Your distributed computing project sucks! You should run instead!". Why don't you run whatever you want to run, and let others run whatever they want to run? Sounds reasonlable? That's what I thought. Now: Shut the fuck up.
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
BTW, your sig makes perfect sense if you understand that, in C, straight numeric constants are assumed to be integers, and hence 1/2 is equal to zero. The obvious fix is to change that to 1.0/2.0. Gotta love it when people complain about non-issues...
Incidentally, Java has similar rules, it's just more verbose when warning about type mismatches and loss of precision.
That would seem to be a reasonable request but if fulfilled, it would lead to people using the source code and applying the own optimizations to it. Many people view Seti@home in a compeatative way; there have been contests, and people have cheated by saving a work-unit that was all but done and repetativly re-processed and submitted it to artificialy inflate there stats or win.
The problem is Seti@home is science, and a primary requirement for science is that results must be repetable. If I were for example to recompile to program for athlon optimisation, it probably wouldn't be too big a deal and might gain me an advantage of of 20 min to an hour for each work-unit, which are averaging about 27 hours on my older machine. Sooner or later somebody is going to take apart the program and start change the math involved which would increase the advantage but absolutly kill reproducability.
I think that this exploit would be pretty hard to exploit because you would have to intercept the IP address of the seti@home server, and redirect to a malicious server to exploit it. It would be easier to just exploit one of the many other easier to exploit security holes out there.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Where do you download the software for warez servers and DoS clients? I know some people who have old DOS programs that they need to run for their business, and they also need a warez server to search for stock quotes online and tell them "ware" they are.
This advisory came 4 months late. While I'm glad this person contacted Seti first before releasing the advisory, I cannot believe that it took them two months to fix a bufer overflow! While seti@home isn't a mission critical app, I would think the seti people would want to release a new version very quickly, at the very least so that they know that their personal omputers can't get exploited.
Bah, forgot about a username.
Only dead fish swim with the stream...
I suppose if it's documented to only work in certain cases, that's acceptable, however, the the code that calls it without checking for the input is then broken, and buggy. It should be fixed. If it can't be checked before calling the functionality, then the functionality better work for all inputs. That's good software. Stuff that just assumes that unsafe input will never, ever be put in, is a bug. A security hole. It's not reusable code. Reusable code, checks inputs. Reusable code fails gracefully. Reusable code, returns error codes indicating invalid inputs. Reusable code doesn't have security flaws in it.
Distributing code that won't handle all input cases for use in a public distributed computing project for the sake of speed is irresponsible, and stupid. Now, I'm a lot more likely to just never run one of the distributed projects then to risk security flaws if they are willing to sacrifice security for their speed. Security should be the winning factor in all concerns when writting software. When trading security for speed, is an option don't take it. Security or ease of use, take security. Security or correctness, re-write the software using a new protocol, or new algorithm, but still take security and document the correctness flaw. Right now I only run them on machines that don't have any valuable information on them, but I'd prefer they not be used in a DDos, so it'll probably get stripped off all my machines.
This is the reason employers have problems when their employees run Seti@Home (and indeed, any unauthorized software) on their machines.
As an IT professional, you talk and talk and talk and talk trying to warn your superiors of the danger of running unnecessary network services -- why you can't just open the firewall wide up to let them use their proprietary stock-tracking application; hell, why you even have a firewall in the first place.
And then Seti@Home, the ultimate nonessential network service, comes along and validates everything you've been saying. But you're running it anyway, because it's "cool". And now your network is compromised.
Should have taken your own advice.
NO CARRIER
You can just FTP to ftp://alien.ssl.berkeley.edu/pub/ and see for yourself what's there.
When I checked, the only 3.08 versions available were the GUI versions for Windows and Mac OS 9 (not OS X), and the two command line versions mentioned above (x86 Linux and Sparc Solaris). The ones I personally care about, the command line versions for WinNT and OS X, were not there yet.
So... for those people who installed Seti on 100 machines at school/work, are you updating them RIGHT NOW? One guy where I am put Seti on a bunch of cluster machines because, after all, no one else is using them. I certainly hope that he's working unpaid overtime patching his (against the rules) pet project.
-- Is "Sig" copyrighted by www.sig.com?
This exploit really isn't as bad as people here like to make it out to be. In order to perform this buffer overrun, you would have to trick the S@H client to connect to a different server. Short of actually breaking into the host computer of the client, I believe this would prove extremely difficult (anyone know how to do this?).
And as was mentioned in the advisory, there has been no reported case of this actually being exploited (outside of proof of concept of course, where the discoverer changed the S@H server address in the client itself).
In addition, I noted how the S@H team seemed to neglect optimizing the client, so I got into other projects. S@H sucks particularly on the K6. My P2-350 runs it over twice as fast as the K6-2 of similar MHz, partly because it can use the 686 optimized version.
I still prefer S@H over things like distributed.net; the latter poses purely mathematical problems, which IMHO should not be bruteforced. The RC5 crack is plain silly, and the OGR is something that might be 'solved' by other means some day. In addition, things like protein folding could use a proper theory, as you can only bruteforce individual cases. But there's no scientific shortcut in SETI, you just have to keep looking.
Escher was the first MC and Giger invented the HR department.
THE SLANT
The Slant
pffft, that's like "optimizing a shell script.
Don't laugh too loud.
There's always room for optimization, particularly in terms of the algorithms used. Sure, one may lose 3x the speed due to the implementation details -- but if one gets back 10x the speed by switching to a more efficient algorithm, it's still a net win. (In particular, I recall writing a clever Python implementation of a function which outperformed a naiive C implementation by about a hundredfold).
Further, just because bash is slower than dirt doesn't mean that's true of all shells -- ash, for instance, is much faster.
To get back on track, btw, I'm inclined to agree with the call that code with bugs or unhandled corner cases introduced for purposes of performance, footprint or whatever should never be considered reusable unless each of those unhandled cases is reviewed before each reuse -- and only rarely even then.
Thoughtcrime?! More newspeak. Your duckspeak betrays total blackwhite to the prolefeed-quality conspiracy theories. There is no cabal. Crimestop immediately for masshappy.
Only in slashdot are posts of solidarity modded at -1 Redundant, while posts of antagonism are modded as -1 Flamebait.