Exploit Found in Seti@Home 266
Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)
Aliens exploiting? (Score:5, Funny)
Alien pr0n (Score:3, Funny)
If the aliens would be exploiting that, our computers would be full of alien pr0n, which it isn't the case... Right? RIGHT?
Re:Alien pr0n (Score:2)
Re:Alien pr0n (Score:2)
Uh oh... I think the invasion started in Japan... Damn tentacles!
Re:Aliens exploiting? (Score:5, Funny)
Of course they are exploiting SETI. They obviously hack in to all systems that find positive results and surreptitiously replace them with random noise.
They are covering their tracks. How else could you explain this suspicious lack of alien signal evidence after all of these years of searching? This is a coverup of galactic proportions.
Re:Aliens exploiting? (Score:2)
Where's the +1 Funny ?
Looks like these aliens have been going around stealing peoples' senses of humour.
Re:Aliens exploiting? (Score:2)
Well yours at least.
Re:Aliens exploiting? (Score:5, Funny)
Re:Aliens exploiting? (Score:5, Funny)
Linux/Solaris client is there, if you dig around (Score:5, Informative)
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.i 686-pc-linux-gnu.tar [berkeley.edu]
[berkeley.edu]
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.s parc-sun-solaris2.6.tar
Can't seem to find 'em on wcarchive.cdrom.com, the other mirror site -- anyone got a link?
Re:Linux/Solaris client is there, if you dig aroun (Score:2)
Re:Linux/Solaris client is there, if you dig aroun (Score:4, Informative)
When I checked, the only 3.08 versions available were the GUI versions for Windows and Mac OS 9 (not OS X), and the two command line versions mentioned above (x86 Linux and Sparc Solaris). The ones I personally care about, the command line versions for WinNT and OS X, were not there yet.
Firings... (Score:2, Funny)
Re:Firings... (Score:5, Insightful)
Coders make mistakes. That's why they put a backspace key on keyboards.
Re:Firings... (Score:3, Insightful)
Re:Firings... (Score:2, Insightful)
Re:Firings... (Score:5, Funny)
No, the backspace is there for the users. We allow it on our keyboards because it is cheaper than having separate keyboards for programmers!
Re:Firings... (Score:2)
we dint have a bavkspCE key.
Re:Firings... (Score:3, Funny)
That's only there for PC wimps.
Everybody knows that pressing backspace in the original Emacs brought up the help page (I'm not making this up).
Re:Firings... (Score:2)
Re:Firings... (Score:2)
What are you complaining about? If you don't like cryptic commands, unreasonable key bindings, ambigious configuration options - Emacs is not for you. How about vi? Its a model editor so ^H in text edit mode won't be misinterpreted
Too late... (Score:5, Funny)
Re:Too late... (Score:2, Funny)
oh wait...
So there weren't really 18 new jupiter satellites? (Score:2, Funny)
Everyone knows its... (Score:5, Funny)
Re:Everyone knows its... (Score:2)
Re:Everyone knows its... (Score:2)
*shudder*
Re:Everyone knows its... (Score:2)
Re:Everyone knows its... (Score:2)
In light of Episode 1, I think not.
Alien Fury (Score:4, Funny)
Re:Alien Fury (Score:3, Insightful)
I suppose you could set up hundreds of transmitters around uninhabitted star-systems that spew meaningless signals. If the alien race was running a program comparable to our SETI, they would start detecting these "false positives". The signals would look like they were meaningful, patterned signal coming from inhabitted worlds, when in fact they are meaningless rubbish ( produced say from some pseudo-random function ). This would tie up a large amount of the computing
Re:Alien Fury (Score:2)
Re:Alien Fury (Score:2)
Re:Alien Fury (Score:2)
This happens in real life too; I believe some anti-aircraft missiles have a backup mode where they home in on the source of the jamming signal.
That's why I only give my extra cycles to (Score:2, Funny)
Re:That's why I only give my extra cycles to (Score:3, Insightful)
Honestly, why do people feel the need to be snobbish about how they use their spare CPU cycles?
In the wild or not? (Score:5, Informative)
- There was a potential buffer overrun in the networking code of the client that is fixed with version 3.08. Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge,
- no SETI@home client has ever been attacked in this manner.
Whereas Jamie claims that- an Exploit [sic.] was found in Seti@Home and
- there is code exploiting the hole actually running about in the wild.
Can anybody help clear this up until the linked site get back online?Re:In the wild or not? (Score:5, Funny)
I'd like to run about there also.
TIA!
Re:In the wild or not? (Score:5, Funny)
It's a sign of alien intelligence (Score:2)
There's gotta be more to extraterrestial life than mutilating cows and doing donuts in crop fields.
Re:In the wild or not? (Score:2, Informative)
ie, you could only do it on a local net.. however i guess pretty many people are running seti in the doorms around me..
Re:In the wild or not? (Score:4, Informative)
Jamie states exploit code exists and is in the hands of people who are not guaranteed to be friendly. SETI states that there are difficulties in exploiting the bug and they know of no clients that have been compromised. Sounds to me like someone has written and distributed the code but has not actually been able to use it.
There is no contradiction. Jamie doesn't say clients have been exploited; SETI doesn't say there's no code. Granted, reading only Jamie's statement, I'd infer that the exploit has been used at least once. Given the context of SETI's statement, however, I'd reinterpret Jamie's.
Of course, you could choose to believe that one of them is lying. I have not enough experience with either of them to make such a choice and prefer to give them the benefit of the doubt.
Buffer Overflow stupidity (Score:5, Insightful)
That'd be about as crazy as wasting cycles on checking the length of my input. Or, dynamically allocating buffers. Or, using safe, bounded copy/read instructions. What kind of wacko would do that! Hah!
Justin Dubs
Ever reuse code? (Score:2)
Re:Ever reuse code? (Score:5, Informative)
I suppose if it's documented to only work in certain cases, that's acceptable, however, the the code that calls it without checking for the input is then broken, and buggy. It should be fixed. If it can't be checked before calling the functionality, then the functionality better work for all inputs. That's good software. Stuff that just assumes that unsafe input will never, ever be put in, is a bug. A security hole. It's not reusable code. Reusable code, checks inputs. Reusable code fails gracefully. Reusable code, returns error codes indicating invalid inputs. Reusable code doesn't have security flaws in it.
Distributing code that won't handle all input cases for use in a public distributed computing project for the sake of speed is irresponsible, and stupid. Now, I'm a lot more likely to just never run one of the distributed projects then to risk security flaws if they are willing to sacrifice security for their speed. Security should be the winning factor in all concerns when writting software. When trading security for speed, is an option don't take it. Security or ease of use, take security. Security or correctness, re-write the software using a new protocol, or new algorithm, but still take security and document the correctness flaw. Right now I only run them on machines that don't have any valuable information on them, but I'd prefer they not be used in a DDos, so it'll probably get stripped off all my machines.
Re:Ever reuse code? (Score:2)
You advice is good, within limits. Even Eiffel, with all it's DBC constructs, and nigh unto paranoid type checking allows you to turn off the security checks to produce optimized code. Of course, it also allows you to specify just which modules you will optimize, and which you will leave full error checking enabled in. This seems, to me, a reasonable compromise. The stuff that is only called by your code, you can be reasonably sure of, after you finish you debug c
This IS being used! (Score:5, Funny)
Making it run a warez server would mean (Score:5, Funny)
Mirror (no pics or downloads) (Score:5, Informative)
Aliens want warez too (Score:5, Funny)
Of Course It's Slashdotted (Score:5, Informative)
Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
PATCHED VERSION
Are available [berkeley.edu]
BACKGROUND INFORMATION
From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
"The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"
There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.
THE VULNERABILITIES
The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:
1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.
THE TECHNIQUE
1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.
2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.
3) Exploitation of the bug in the server
Offtopic but out of curiosity (Score:2, Interesting)
Re: 366 Toshiba synchronicity (Score:3, Interesting)
In addition, I noted how the S@H team seemed to neglect optimizing the client, so I got into other projects. S@H sucks particularly on the K6. My P2-350 runs it over twice as fast as the K6-2 of similar MHz, partly because it can use the 686 opti
Less wastefull (Score:2)
Re:Less wastefull (Score:3, Informative)
I just hate the people who go around saying "Your distributed computing project sucks! You should run instead!". Why don't you run whatever you want to run, and let others run whatever they want to run? Sounds reasonlable? That's what I thought. Now: Shut the fuck up.
besides... (Score:2)
Re:besides... (Score:2)
As for your supposed revelation, I'll believe it when I see it. I think it more likely that we'll all be dead before it produces any results.
Re:besides... (Score:2)
propably. But the fact is that S@H was first. That alone makes it worthwhile project: for the sole reason of showing that distributed projects of this nature could be done. Whether you like it or not, Folding@home and others owe their existence to Seti@home.
Re:besides... (Score:2)
Re:besides... (Score:2)
Let me guess: you personally run one of those "scientifically more important" projects? And like I said, S@H is used on other projects besides hunting aliens. If I recall correctly, Stephen Hawking uses their findings in his Black Hole research.
Re:besides... (Score:2)
As far as I can tell by looking at the Seti@home history page the project started in October 1998.
Distributed.net began their first distributed project, the brute force discovery of an RC5-56 bit key, on January 28, 1997.
So it appears that Seti@ho
Re:Less wastefull (Score:2)
I personally run Folding@Home because I think it will, overall, be more useful than (for example) SETI@Home or PrimeNet. Why? Well, PrimeNet will find lar
Why choose? (Score:2)
Some of the proposed features were switching to another project after finishing a WU, auto updates, ad hoc teams, simultaneous DC use with custom priority, etc.
I wonder what ever happened to that idea. It sounded great. It would also give not so famous groups a chance to write their screensa
Is my box owned? (Score:3, Interesting)
Re:Is my box owned? (Score:2, Informative)
Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge, no SETI@home client has ever been attacked in this manner.
So it's unlikely you're owned from this. Some general tips to check your box's health:
On linux, run `lsof -i` as root to see what kind of connections your box is listening for/has established.
On windows, run `netstat -an` to see much the same.
As alway
Re:Is my box owned? (Score:5, Funny)
SETI fatal error (Score:2)
Folding@home (Score:3, Insightful)
Re:Folding@home (Score:3, Informative)
They may or may not have similar vulnerabilities, but since none are open source, there's no way for us to know. All the same, I wouldn't worry about Folding or Genome any more because of the seti exploit. I'm still genoming.
Whew! (Score:5, Funny)
Re:Whew! (Score:5, Funny)
you know what we need... (Score:2)
Where can I get such a server? (Score:4, Funny)
Just what we have searching for: (Score:2)
nevermind, that was stupid....
Mother of all exploits... (Score:2)
Gives new meaning to the honeynet concept.
That's not how Seti@home works (Score:2)
timeline (Score:5, Informative)
This advisory came 4 months late. While I'm glad this person contacted Seti first before releasing the advisory, I cannot believe that it took them two months to fix a bufer overflow! While seti@home isn't a mission critical app, I would think the seti people would want to release a new version very quickly, at the very least so that they know that their personal omputers can't get exploited.
Bah, forgot about a username.
Re:timeline (Score:3, Insightful)
> this person contacted Seti first before releasing
> the advisory, I cannot believe that it took them
> two months to fix a bufer overflow!
Shrug. Closed source: what do you expect?
setiathome-3.08.i386-winnt-cmdline.exe? (Score:2)
anyone able to locate a newer version or am i stuck running the crappy gui?
Manager's case of "told me so!" (Score:5, Insightful)
As an IT professional, you talk and talk and talk and talk trying to warn your superiors of the danger of running unnecessary network services -- why you can't just open the firewall wide up to let them use their proprietary stock-tracking application; hell, why you even have a firewall in the first place.
And then Seti@Home, the ultimate nonessential network service, comes along and validates everything you've been saying. But you're running it anyway, because it's "cool". And now your network is compromised.
Should have taken your own advice.
Public Machines (Score:5, Insightful)
Not as bad as it might sound (Score:2, Insightful)
And as was mentioned in the advisory, there has been no reported case of this actually being exploited (outside of proof of concept of course, where the discoverer changed the S@
Command Line uneffected (Score:2)
Re:Bad net behavior (Score:2)
If the hosts were halfway decent
Re:If you're asking people for their cycles... (Score:3, Informative)
Why don't you release the source code?
We decided not to make source code available for security reasons and for science reasons as well. We have to have everyone do the exact same analysis, or we can't have any control over our research and be confident in our results. We were also worried that there may be a few people that want to deliberately try to screw up our database and server.
Re:If you're asking people for their cycles... (Score:4, Insightful)
1. People have turned in fake results
2. People have deliberately tried to screw up their database and server
3. There are apparently security holes in the client which would have been noticed much sooner if the code was open.
Re:If you're asking people for their cycles... (Score:2)
However, using a system of certificates & digital signatures, it should be very difficult to spoof a data result. Such a client could legitimately be open sourced. In the end, who knows - its their project, their problem, and their decision.
Re:If you're asking people for their cycles... (Score:3, Interesting)
The problem is Seti@home is science, and a primary requirement for science is that results must be repetable. If I were for exampl
Re:If you're asking people for their cycles... (Score:2)
As long as people are returning the correct answers, it doesn't really matter how they get there.
Re:If you're asking people for their cycles... (Score:2)
Re:If you're asking people for their cycles... (Score:2)
Re:If you're asking people for their cycles... (Score:2)
Re:If you're asking people for their cycles... (Score:2)
> the program and start change the math involved
> which would increase the advantage but absolutly
> kill reproducability.
And they are going to do that to the present closed source client. Nothing about releasing the client source would require them to accept results from clients not downloaded from their site.
Re:Time to retire C (Score:5, Insightful)
Incidentally, Java has similar rules, it's just more verbose when warning about type mismatches and loss of precision.
Re:Time to retire C (Score:2)
Well the code in my
Yes, Java has the same flaw as it inherited several C/C++ design flaws. In fact the bug can be traced back to Fortran.
Pascal and the new version of Python, algol, modula and o
Re:Time to retire C (Score:2)
Ah the typical real men need no bounds check argument. This is, of course, a bogus argument.
In real life, people cannot be expected to be extra careful day in and day out. It's just not humanly possible. The long history of buffer overrun exploits proves this.
Re:Time to retire C (Score:2)
In real life, people cannot be expected to be extra careful day in and day out, this is absolutely true. Because of this, they need reminders, and one very good reminder is when you get lots of errors and warnings during compilation & testing. If you become habituated to a programming environment
On the other hand (Score:2)
I'd rather have a program that defaults to an uncaught exception and program crash to one that is instead vulnerable. One is somewhat more dangerous than the other, though an uncaught ArrayOutOfBounds or whatnot exception isn't perfect and still results in program crashes.
Indeed the sooner it breaks the sooner it will be fixed in normal applicatio
Re:Sounds like a case for Mulder and Scully (Score:2)
Re:Hold On (Score:2)