[SECURITY-L] [cais em cais.rnp.br: CAIS-Alerta: Vulnerabilidade no aplicativo SETI em home]

Silvana Mieko Misuta mieko em ccuec.unicamp.br
Seg Abr 7 17:20:08 -03 2003 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no aplicativo SETI em home
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Mon, 7 Apr 2003 17:08:44 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado por Berend-Jan Weve,
Information leakage and remotely exploitable buffer overflow in various
seti em home clients and the main server, tratando da identificacao de uma
seria vulnerabilidade envolvendo os clientes do projeto SETI em home.

O projeto SETI em home e' um experimento cientifico que utiliza o tempo livre
de computadores conectados a Internet para analisar informacoes coletadas
de radio telescopios.


Sistemas afetados:

Clientes com vulnerabilidade remota:

	. setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
	. setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
	. setiathome-3.03.i386-pc-linux-gnulibc1-static
	. setiathome-3.03.i686-pc-linux-gnulibc1-static
	. setiathome-3.03.i386-winnt-cmdline.exe
	. i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
	. SETI em home.exe (v3.07 Screensaver)


Correcoes disponiveis:

A correção consiste na atualizacao do aplicativo disponivel em:

	. http://setiathome.berkeley.edu/download.html


Maiores informacoes:


	. http://spoor12.edup.tudelft.nl/

        . http://setiathome.berkeley.edu/


O CAIS recomenda aos administradores que informem a seus usuarios sobre
esta vulnerabilidade.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


Advisories/Seti em home

Information leakage and remotely exploitable buffer overflow in various
seti em home clients and the main server.

Affected versions

Confirmed information leaking:

This issue affects all clients.

Confirmed remote exploitable:

setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI em home.exe (v3.07 Screensaver)

Confirmed DoS-able using buffer overflow:

The main seti em home server at shserver2.ssl.berkeley.edu

Presumed vulnerable to buffer overflow:

All other clients.


PATCHED VERSION

Are available


BACKGROUND INFORMATION

- From "http://setiathome.berkeley.edu/" :

"SETI em home is a scientific experiment that uses Internet-connected
computers in the Search for Extraterrestrial Intelligence (SETI). You can
participate by running a free program that downloads and analyzes radio
telescope data. "

"The SETI em home program is a special kind of screensaver. Like other
screensavers it starts up when you leave your computer unattended, and it
shuts down as soon as you return to work. What it does in the interim is
unique. While you are getting coffee, or having lunch or sleeping, your
computer will be helping the Search for Extraterrestrial Intelligence by
analyzing data specially captured by the world's largest radio telescope.
"

"The client/screensaver is available for download only from this web page
- - we do not support SETI em home software obtained elsewhere. This software
will upload and download data only from our data server here at Berkeley.
The data server doesn't download any executable code to your computer. All
in all, the screensaver is much safer than the browser you're running
right now!"

There are currently over four million registered users of seti em home. Over
half a million of these users are "active"; they have returned at least
one result within the last four weeks.


THE VULNERABILITIES

The seti em home clients use the HTTP protocol to download new workunits,
user information and to register new users. The implementation leaves two
security vulnerabilities:

1) All information is send in plaintext across the network. This
information includes the processor type and the operating system of the
machine seti em home is running on.

2) There is a bufferoverflow in the server responds handler. Sending an
overly large string followed by a newline ('\n') character to the client
will trigger this overflow. This has been tested with various versions of
the client. All versions are presumed to have this flaw in some form.

3) A similar buffer overflow seems to affect the main seti em home server at
shserver2.ssl.berkeley.edu. It closes the connection after receiving a too
large string of bytes followed by a '\n'.


THE TECHNIQUE

1) Sniffing the information exposed by the seti em home client is trivial and
very usefull to a malicious person planning an attack on a network. A
passive scan of machines on a network can be made using any packetsniffer
to grab the information from the network.

2) All tested clients have similar buffer overflows, which allowed setting
eip to an arbitrairy value which can lead to arbitrairy code execution. An
attacker would have to reroute the connection the client tries to make to
the seti em home webserver to a machine he or she controls. This can be done
using various widely available spoofing tools. Seti em home also has the
ability to use a HTTP-proxy, an attacker could also use the machine the
PROXY runs on as a base for this attack. Routers can also be used as a
base for this attack.

3) Exploitation of the bug in the server has offcourse not been tested. Do
understand that successfull exploitation of the bug in the server would
offer a platform from which ALL seti em home clients can be exploited.


THE EXPLOITS

Is available for linux by yours truely
Is available for linux/*BSD by Zillion


TIMELINE

2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti em home team contacted through their website
http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti em home team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti em home team contacted again, this time through email.
2003/01/21 Seti em home team confirmed the problem.
2003/01/25 Seti em home team promissed fixed version are being build.
2003/02/03 Seti em home team informed me about problems with the fixes for
the win32 version.
2003/04/06 New Seti em home clients available, advisory released.


THANKS

Special thanks go out to:

- - Aleph1 for "Smashing the Stack for Fun and Profit".
- - Niels Heinen for his work on exploiting seti em home on FreeBSD.
- - Blazde and the other 0dd folks for help with the win32 shellcode.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPpHa0ekli63F4U8VAQEruAQAtjVle0O3vyL846LuvoSk7Mp5ReBXRHXg
wdaXzJ18no69I0577A4I09KE/+sGeRE8a49fft7cBnlAYfl2a+RjJZPD7knIF8b8
efKdKH04pU+xXoWcU9nFc6s+5UtfICkOtLhQZpFmMd5X/fLZxr1WceFVHeFK7Vdm
gVyJYnWHdso=
=J5Rt
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L