Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit Found in Seti@Home

Posted by CmdrTaco on from the i-wanna-find-an-alien dept.

Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)

14 of 266 comments (clear)

  1. Aliens exploiting? by Anonymous Coward · · Score: 5, Funny

    I wonder whether aliens are exploiting this to control us /me screams and runs in fear.

    1. Re:Aliens exploiting? by Waffle+Iron · · Score: 5, Funny
      I wonder whether aliens are exploiting this to control us /me screams and runs in fear.

      Of course they are exploiting SETI. They obviously hack in to all systems that find positive results and surreptitiously replace them with random noise.

      They are covering their tracks. How else could you explain this suspicious lack of alien signal evidence after all of these years of searching? This is a coverup of galactic proportions.

  2. Too late... by Anonymous Coward · · Score: 5, Funny

    But I already run a public warez server!

  3. Everyone knows its... by Chris_Stankowitz · · Score: 5, Funny

    the Aliens doing this. Not to worry though. I will use my I-Book to hack into their systems and upload a virus.

  4. Re:Firings... by fadeaway · · Score: 5, Insightful

    Why is there always an assumption that exploits=firings? If it was intentionally added, yes, but if it's an honest mistake why do heads have to roll?

    Coders make mistakes. That's why they put a backspace key on keyboards.

  5. Re:Firings... by Anonymous Coward · · Score: 5, Funny
    >coders make mistakes. That's why they put a backspace key on keyboards.


    No, the backspace is there for the users. We allow it on our keyboards because it is cheaper than having separate keyboards for programmers!

  6. This IS being used! by Adler · · Score: 5, Funny

    Look! Their site is down! Someone must have used this exploit to launch a Dos on them! Oh wait... damn you slashdot!

    --

    Everybody denies I am a genius--but nobody ever called me one!

  7. Making it run a warez server would mean by noogle · · Score: 5, Funny

    at least its doing something useful... rather than just pointlessly scanning some random data with no hope of finding anything.

    --

    I'm smarter than the average bear.

  8. Aliens want warez too by LemurShop · · Score: 5, Funny

    running winxp on the spaceship woo -.-

    --

    This sig was cut off by the sla
  9. Of Course It's Slashdotted by 1alpha7 · · Score: 5, Informative
    Affected versions

    Confirmed information leaking:
    This issue affects all clients.

    Confirmed remote exploitable:
    setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
    setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
    setiathome-3.03.i386-pc-linux-gnulibc1-static
    setiathome-3.03.i686-pc-linux-gnulibc1-static
    setiathome-3.03.i386-winnt-cmdline.exe
    i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
    SETI@home.exe (v3.07 Screensaver)

    Confirmed DoS-able using buffer overflow:
    The main seti@home server at shserver2.ssl.berkeley.edu

    Presumed vulnerable to buffer overflow:
    All other clients.

    PATCHED VERSION

    Are available

    BACKGROUND INFORMATION

    From "http://setiathome.berkeley.edu/" :
    "SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
    "The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
    "The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"

    There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.

    THE VULNERABILITIES

    The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:

    1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.

    2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.

    3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.

    THE TECHNIQUE

    1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.

    2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.

    3) Exploitation of the bug in the server

    --
    Live to be Moderated
  10. Re:In the wild or not? by brundlefly · · Score: 5, Funny

    Where is the wild? Anyone have the address?

    I'd like to run about there also.

    TIA!

  11. Re:Is my box owned? by Anonymous Coward · · Score: 5, Funny

    I went in and took a look around your system. All the files seem fine. I guess you're okay.

  12. Re:Ever reuse code? by ComputerSlicer23 · · Score: 5, Informative
    Curious, this reminds me of the story about Cray computers. Seymour Cray put in a very, very fast circuit to do additions I believe (specifically to add 1). The circuit also gave the wrong answer if the input was one specific value, he could have fixed it, but it would have been a longer delay, and well being right in all but one case was acceptable to him. Well eventually people reported this as a bug, but he claimed it was a feature. It was such a well known bug, that everyone coded around it. They put the check in, and put the special case code in to handle it. Turns out this took much, much longer to do then if Cray had just put in a correct circut.

    I suppose if it's documented to only work in certain cases, that's acceptable, however, the the code that calls it without checking for the input is then broken, and buggy. It should be fixed. If it can't be checked before calling the functionality, then the functionality better work for all inputs. That's good software. Stuff that just assumes that unsafe input will never, ever be put in, is a bug. A security hole. It's not reusable code. Reusable code, checks inputs. Reusable code fails gracefully. Reusable code, returns error codes indicating invalid inputs. Reusable code doesn't have security flaws in it.

    Distributing code that won't handle all input cases for use in a public distributed computing project for the sake of speed is irresponsible, and stupid. Now, I'm a lot more likely to just never run one of the distributed projects then to risk security flaws if they are willing to sacrifice security for their speed. Security should be the winning factor in all concerns when writting software. When trading security for speed, is an option don't take it. Security or ease of use, take security. Security or correctness, re-write the software using a new protocol, or new algorithm, but still take security and document the correctness flaw. Right now I only run them on machines that don't have any valuable information on them, but I'd prefer they not be used in a DDos, so it'll probably get stripped off all my machines.

  13. Manager's case of "told me so!" by Chester+K · · Score: 5, Insightful

    This is the reason employers have problems when their employees run Seti@Home (and indeed, any unauthorized software) on their machines.

    As an IT professional, you talk and talk and talk and talk trying to warn your superiors of the danger of running unnecessary network services -- why you can't just open the firewall wide up to let them use their proprietary stock-tracking application; hell, why you even have a firewall in the first place.

    And then Seti@Home, the ultimate nonessential network service, comes along and validates everything you've been saying. But you're running it anyway, because it's "cool". And now your network is compromised.

    Should have taken your own advice.

    --

    NO CARRIER