[Full-disclosure] SA Security Bulletin: Zorch Vulnerability in Rhino Snarf Java Interpretor
apexpoizen_at_Safe-mail.net
Date: 09/30/05
- Previous message: Peter Bieringer: "[Full-disclosure] Contact to webmaster of messages.yahoo.com - bbs application sends broken HTTP header"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Sep 2005 11:38:41 -0400 To: full-disclosure@lists.grok.org.uk
_________________________________________________________________
Sexy Action Security Bulletin
SASB-2005-09-30-GR8-2B-EL8
Zorch Vulnerability in Rhino Snarf Java Interpreter
_________________________________________________________________
Platform: GibsonOS
CPU Type: Any
Package: Rhino Snarf Pharynx
Affected Versions: 2.1 (current) and earlier
Vulnerability Type: c|n>k, wirewater overflow, death
Severity (1-10): 10
Author: @pex p01zen
Executive Summary:
Rhino Snarf is a popular peer-to-peer client used for packet
sniffing, wirewater communication, and downloading non-physical
data over a wide area network such as the internet. This
vulnerability affects versions 2.1 (current) and earlier,
running on any GibsonOS system.
A Zorch Vulnerability that exists in the Snarf Protocol is
capable of rendering any unprotected CPU useless via a wirewater
buffer overflow through Pharynx, which is packaged with Rhino
Snarf by default.
Several workarounds are suggested at the end of this document.
Problem Statement:
When Rhino Snarf uses the Wirewater Protocol to communicate over
WAN, it normally only calls on Pharynx to send overflow data to
the keyboard or monitor. Pharynx buffer overflows (outgoing) are
by no means a new concept; since Rhino Snarf only allows
Wirewater data to flow -out- of Pharynx, the attack is single and
limited to the size of the buffer.
However a system glitch can cause Rhino Snarf and Pharynx to
sniff Java packets without any means of processing them. This in
turn causes the user to send -and- receive Java packets over an
insecure protocol not designed to handling incoming connections.
Miscommunication of data type results in an autosomal dominant
compelling helio-ophthalmic outburst from Pharynx. When used in
conjunction with Wirewater this can return a c|n>k type attack on
your computer. However, if the system's CPU is unprotected, Java
data flowing from Pharynx can cause a Zorch attack on your CPU.
This renders the CPU useless through overheating.
Exploit Method:
On our test systems, we tricked Rhino Snarf into receiving Java
packets through Pharynx. This intake caused Rhino Snarf to choke
on its own data. As expected, a high level of system instability
was experienced before the helio-opthalmic outburst was detected.
At a low data level this resulted in the predicted c|n>k attack.
However, if Pharynx is also receiving Java packets at the time of
the outburst, the overflow from Rhino Snarf is much greater
(since outflow is no longer limited to the size of the buffer).
To test this, Java packets were received through two open Pharynx
ports at once. Rhino Snarf, unable to process the information,
not only caused a autosomal dominant compelling helio-ophthalmic
outburst, but the direction, velocity, and size of the attack saw
data sent directly to the CPU. Excess Java packets caused the
CPU fan to short-circuit and die. The CPU Heatsink was then next
as it conducted the excessive heat towards the CPU. Overwhelming
amounts of data spilled out onto the Motherboard at which point
it became impossible to monitor the system due to a total CPU
Zorch.
System Death was recorded at approximately 5.3 seconds after the
miscommunication began.
Fix:
There are number of methods for preventing this attack, however
once 2 port miscommunication to Pharynx has occurred, very little
can be done to stop the attack in progress. Based on research by
our team of security professionals, it is suggested that users
block all incoming Java connections on the Rhino Snarf port and
ensure their computer case is properly constructed.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
