Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Exploit Found in Seti@Home 266

Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)
This discussion has been archived. No new comments can be posted.

Exploit Found in Seti@Home

Comments Filter:
  • by Anonymous Coward on Sunday April 06, 2003 @11:25AM (#5673435)
    I wonder whether aliens are exploiting this to control us /me screams and runs in fear.
    • Alien pr0n (Score:3, Funny)

      by Fulkkari ( 603331 )
      I wonder whether aliens are exploiting this to control us /me screams and runs in fear.

      If the aliens would be exploiting that, our computers would be full of alien pr0n, which it isn't the case... Right? RIGHT?

      • If the aliens would be exploiting that, our computers would be full of alien pr0n
        So, let me get this straight... you're talking about aliens exploiting themselves by way of exploiting a programming oversight? :-)
      • "If the aliens would be exploiting that, our computers would be full of alien pr0n, which it isn't the case... Right? RIGHT?"

        Uh oh... I think the invasion started in Japan... Damn tentacles!
    • by Waffle Iron ( 339739 ) on Sunday April 06, 2003 @11:43AM (#5673520)
      I wonder whether aliens are exploiting this to control us /me screams and runs in fear.

      Of course they are exploiting SETI. They obviously hack in to all systems that find positive results and surreptitiously replace them with random noise.

      They are covering their tracks. How else could you explain this suspicious lack of alien signal evidence after all of these years of searching? This is a coverup of galactic proportions.

    • by JudgeFurious ( 455868 ) on Sunday April 06, 2003 @12:50PM (#5673787)
      A little aluminum foil over the ports in your computer will take care of this just as easily and with less effort then downloading some suspect "patch" that's probably nothing more than a way for "them" to get control of your box and then eventually of course you.
    • by The Monster ( 227884 ) on Sunday April 06, 2003 @02:52PM (#5674353) Homepage
      Naah. When we finally decode data from an ETI site, it will probably be something like
      • 100% Guaranteed Stamen Enhancement - not only have users reported gains in length and girth of up to 50% or more, but enhanced spectral response as well - have the iridiescence that impresses females....
      • Larvae gone wild - See these hot young females in action - catch them quick before they pupate....
      • I am writing to you on a matter of utmost importance, which must be treated with the highest delicacy. My name is T'Jek, senior wife of the recently deceased Ska-al-ath, Subprefect for Industrial Development for Remnalon. Prior to his death, he was able to set aside in a special account the sum of 5 trillion Kalkaks, but due to banking regulations it will be necessary for me to move the money to an account in a different Prefecture in order to access it...
      • Please forward this message to as many sentient entities as possible. As G'iarc D'log-rerh-s lies dying of the incurable Andorian Wasting Disease, he has but one wish - to set the record for having a message forwarded to the highest number of sentient beings in the known galaxy....
      • Check out network channel 904753cx for a 'buffer overrun'
      • In Teivos Empire - your computational device exploits h4x0r5!
      • FR157 P057!
  • by Saint Aardvark ( 159009 ) on Sunday April 06, 2003 @11:25AM (#5673436) Homepage Journal
    Looks like the links haven't shown up yet on the Unix download page [berkeley.edu], but the 3.08 client is available if you dig around a bit:

    ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.i 686-pc-linux-gnu.tar [berkeley.edu] [berkeley.edu]

    ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.s parc-sun-solaris2.6.tar

    Can't seem to find 'em on wcarchive.cdrom.com, the other mirror site -- anyone got a link?

  • Firings... (Score:2, Funny)

    by Anonymous Coward
    Something tells me that this exploit is going to lead to a lot more people getting fired than, say, that OpenSSH one a while back.
    • Re:Firings... (Score:5, Insightful)

      by fadeaway ( 531137 ) on Sunday April 06, 2003 @11:31AM (#5673467)
      Why is there always an assumption that exploits=firings? If it was intentionally added, yes, but if it's an honest mistake why do heads have to roll?

      Coders make mistakes. That's why they put a backspace key on keyboards.
      • Re:Firings... (Score:3, Insightful)

        by kiltedtaco ( 213773 )
        I believe he was refering to people who run SETI without their employer's permission getting fired for doing so, as it now may be more of a problem.
      • Re:Firings... (Score:2, Insightful)

        by Anonymous Coward
        I'd think the problem is more with people who installed Seti on a bunch of company machines(like desktops) to run in non business hours. Each one of these is now a security risk, and if only one is compromised - leading to other sorts of data loss - the person who allowed this policy might lose their job. The extra expense to patch such a non critical might be enough for management to say enough.
      • by Anonymous Coward on Sunday April 06, 2003 @11:52AM (#5673550)
        >coders make mistakes. That's why they put a backspace key on keyboards.


        No, the backspace is there for the users. We allow it on our keyboards because it is cheaper than having separate keyboards for programmers!

      • good coders don't

        we dint have a bavkspCE key. ;o)
      • by Alomex ( 148003 )
        Coders make mistakes. That's why they put a backspace key on keyboards.

        That's only there for PC wimps.

        Everybody knows that pressing backspace in the original Emacs brought up the help page (I'm not making this up).

        • Everybody knows that pressing backspace in the original Emacs brought up the help page (I'm not making this up).
          If you set your backspace key to ^? instead of ^H this shouldn't happen. Control-H is logically enough, help, while character 127 is the delete (DEL) character at the end of the ASCII table. Just do "stty erase ^?".
  • Too late... (Score:5, Funny)

    by Anonymous Coward on Sunday April 06, 2003 @11:27AM (#5673443)
    But I already run a public warez server!
    • by Anonymous Coward
      it's always you damn Anonymous Coward bastards.

      oh wait...
  • by Anonymous Coward
    Just a bunch of h4x0rs having fun again? Dang.
  • by Chris_Stankowitz ( 612232 ) on Sunday April 06, 2003 @11:28AM (#5673451)
    the Aliens doing this. Not to worry though. I will use my I-Book to hack into their systems and upload a virus.
  • Alien Fury (Score:4, Funny)

    by Flamesplash ( 469287 ) on Sunday April 06, 2003 @11:32AM (#5673469) Homepage Journal
    I'm sure the Aliens will love it when we try to DoS attack them. That's one way to make friends with a new species. "Oh sorry about that, yeah were a smart world, REALLY!!"
    • Re:Alien Fury (Score:3, Insightful)

      by corvi42 ( 235814 )
      I wonder how you'd manage such a DoS?
      I suppose you could set up hundreds of transmitters around uninhabitted star-systems that spew meaningless signals. If the alien race was running a program comparable to our SETI, they would start detecting these "false positives". The signals would look like they were meaningful, patterned signal coming from inhabitted worlds, when in fact they are meaningless rubbish ( produced say from some pseudo-random function ). This would tie up a large amount of the computing
      • If we set up the transmitters as an phase array, we could make it look like the signal was coming from cold empty space; imagine them trying to figure that out
        • Heh - you could have the signal act as "the voice of God" and tell the aliens all kinds of rubbish. That would be a laugh - until they come and kill you with religious fervour.
      • These pseudo-random jamming signal would still be located around your real home system, so there is no stopping the alien intelligence from realising what you are doing and home in on the real system.

        This happens in real life too; I believe some anti-aircraft missiles have a backup mode where they home in on the source of the jamming signal.
  • by Anonymous Coward
    distributed.net [distributed.net] in support of Team Slashdot [distributed.net]. Let's crack that RC5-72 so that we can move on to RC5-128! Only 657,374 days (~1800 years) left to go!
  • In the wild or not? (Score:5, Informative)

    by Theodore Logan ( 139352 ) on Sunday April 06, 2003 @11:42AM (#5673515)
    The site is Slashdotted so I can't get through, but the write up contradicts Seti's official version [berkeley.edu] which states that
    • There was a potential buffer overrun in the networking code of the client that is fixed with version 3.08. Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge,
    • no SETI@home client has ever been attacked in this manner.
    Whereas Jamie claims that
    • an Exploit [sic.] was found in Seti@Home and
    • there is code exploiting the hole actually running about in the wild.
    Can anybody help clear this up until the linked site get back online?
    • by brundlefly ( 189430 ) on Sunday April 06, 2003 @12:04PM (#5673595)
      Where is the wild? Anyone have the address?

      I'd like to run about there also.

      TIA!
    • How do we know aliens don't communicate by propogating buffer overruns throughout the planet? Has anyone analysed this code, if it is indeed out in the wild?

      There's gotta be more to extraterrestial life than mutilating cows and doing donuts in crop fields.
    • by grazzy ( 56382 )
      you have to spoof and take over a connection to be able to exploit this vuln.

      ie, you could only do it on a local net.. however i guess pretty many people are running seti in the doorms around me..
    • by dillon_rinker ( 17944 ) on Sunday April 06, 2003 @03:37PM (#5674532) Homepage
      Both agree there's an exploitable bug in SETI@home

      Jamie states exploit code exists and is in the hands of people who are not guaranteed to be friendly. SETI states that there are difficulties in exploiting the bug and they know of no clients that have been compromised. Sounds to me like someone has written and distributed the code but has not actually been able to use it.

      There is no contradiction. Jamie doesn't say clients have been exploited; SETI doesn't say there's no code. Granted, reading only Jamie's statement, I'd infer that the exploit has been used at least once. Given the context of SETI's statement, however, I'd reinterpret Jamie's.

      Of course, you could choose to believe that one of them is lying. I have not enough experience with either of them to make such a choice and prefer to give them the benefit of the doubt.

  • by jtdubs ( 61885 ) on Sunday April 06, 2003 @11:45AM (#5673529)
    Well, let's see here. I'm going to be reading data from an untrusted source. So, I feel it's safe to assume that this data will be no longer than, oh, let's say 100 characters. Yeah, 100. I mean, who would send more than that. That'd be crazy!

    That'd be about as crazy as wasting cycles on checking the length of my input. Or, dynamically allocating buffers. Or, using safe, bounded copy/read instructions. What kind of wacko would do that! Hah!

    Justin Dubs
    • Then you might write a quick and dirty function that calls sprintf to format a message (snprintf is not portable, so you might not have a simple fix). Then after a while you forget that it was quick and dirty and use it in a client that will only connect to your own server. I think its a very easy mistake to make. It gets more interesting. Say you are reading a 1024 bit number that is supposed to be a product of two 512 bit primes. Your code has a hand-optimized assembler loop that will not violate bounds
      • Re:Ever reuse code? (Score:5, Informative)

        by ComputerSlicer23 ( 516509 ) on Sunday April 06, 2003 @02:14PM (#5674136)
        Curious, this reminds me of the story about Cray computers. Seymour Cray put in a very, very fast circuit to do additions I believe (specifically to add 1). The circuit also gave the wrong answer if the input was one specific value, he could have fixed it, but it would have been a longer delay, and well being right in all but one case was acceptable to him. Well eventually people reported this as a bug, but he claimed it was a feature. It was such a well known bug, that everyone coded around it. They put the check in, and put the special case code in to handle it. Turns out this took much, much longer to do then if Cray had just put in a correct circut.

        I suppose if it's documented to only work in certain cases, that's acceptable, however, the the code that calls it without checking for the input is then broken, and buggy. It should be fixed. If it can't be checked before calling the functionality, then the functionality better work for all inputs. That's good software. Stuff that just assumes that unsafe input will never, ever be put in, is a bug. A security hole. It's not reusable code. Reusable code, checks inputs. Reusable code fails gracefully. Reusable code, returns error codes indicating invalid inputs. Reusable code doesn't have security flaws in it.

        Distributing code that won't handle all input cases for use in a public distributed computing project for the sake of speed is irresponsible, and stupid. Now, I'm a lot more likely to just never run one of the distributed projects then to risk security flaws if they are willing to sacrifice security for their speed. Security should be the winning factor in all concerns when writting software. When trading security for speed, is an option don't take it. Security or ease of use, take security. Security or correctness, re-write the software using a new protocol, or new algorithm, but still take security and document the correctness flaw. Right now I only run them on machines that don't have any valuable information on them, but I'd prefer they not be used in a DDos, so it'll probably get stripped off all my machines.

        • I suspect that this is obvious, but...
          You advice is good, within limits. Even Eiffel, with all it's DBC constructs, and nigh unto paranoid type checking allows you to turn off the security checks to produce optimized code. Of course, it also allows you to specify just which modules you will optimize, and which you will leave full error checking enabled in. This seems, to me, a reasonable compromise. The stuff that is only called by your code, you can be reasonably sure of, after you finish you debug c
  • by Adler ( 131568 ) <exsuperhero@teen ... minus physicist> on Sunday April 06, 2003 @11:52AM (#5673551) Homepage Journal
    Look! Their site is down! Someone must have used this exploit to launch a Dos on them! Oh wait... damn you slashdot!
  • by noogle ( 664169 ) on Sunday April 06, 2003 @11:53AM (#5673557)
    at least its doing something useful... rather than just pointlessly scanning some random data with no hope of finding anything.
  • by Theodore Logan ( 139352 ) on Sunday April 06, 2003 @11:55AM (#5673559)
    over here [nada.kth.se].
  • by LemurShop ( 585831 ) on Sunday April 06, 2003 @11:56AM (#5673563)
    running winxp on the spaceship woo -.-
  • by 1alpha7 ( 192745 ) on Sunday April 06, 2003 @12:00PM (#5673582) Homepage
    Affected versions

    Confirmed information leaking:
    This issue affects all clients.

    Confirmed remote exploitable:
    setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
    setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
    setiathome-3.03.i386-pc-linux-gnulibc1-static
    setiathome-3.03.i686-pc-linux-gnulibc1-static
    setiathome-3.03.i386-winnt-cmdline.exe
    i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
    SETI@home.exe (v3.07 Screensaver)

    Confirmed DoS-able using buffer overflow:
    The main seti@home server at shserver2.ssl.berkeley.edu

    Presumed vulnerable to buffer overflow:
    All other clients.

    PATCHED VERSION

    Are available [berkeley.edu]

    BACKGROUND INFORMATION

    From "http://setiathome.berkeley.edu/" :
    "SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
    "The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
    "The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"

    There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.

    THE VULNERABILITIES

    The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:

    1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.

    2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.

    3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.

    THE TECHNIQUE

    1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.

    2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.

    3) Exploitation of the bug in the server

  • Are many individuals (on their own machines and not he company hardware) actually running the SETI client? I started it back in 1999 but gave up when I discovered that it took about 24hrs to process one unit on my 366 Toshiba laptop making it rather unlikely that at that rate I would live long enough to find anything. To be honest I had pretty much forgotten about the project altogether.
    • This is pretty awesome. I too started S@H in 1999 on a 366MHz Toshiba laptop (Satellite 2060CDS, K6-II), which was also my first Linux machine. I managed to crunch about 200 workunits until I got tired of the fan noise. It's worse than any desktop fan or HD noise.

      In addition, I noted how the S@H team seemed to neglect optimizing the client, so I got into other projects. S@H sucks particularly on the K6. My P2-350 runs it over twice as fast as the K6-2 of similar MHz, partly because it can use the 686 opti

  • How about using your cycles on something that isn't a complete waste of time, like folding@home, or some other project?
    • Re:Less wastefull (Score:3, Informative)

      by 10Ghz ( 453478 )
      Let me think about that for a second.... Ummmm... No.

      I just hate the people who go around saying "Your distributed computing project sucks! You should run instead!". Why don't you run whatever you want to run, and let others run whatever they want to run? Sounds reasonlable? That's what I thought. Now: Shut the fuck up.
      • What gave you the idea that Seti@home is "waste"? It could bring humanity the greatest revelation there is. And besides, S@H-data is used in variety of scientific projects, not just hunting aliens. And finally: S@H was the forerunner of these kinds of projects. It showed what could be done and how to do it. Without S@H your precious folding@home wouldn't even exist. S@H was the first, it showed others the way.
        • Oh please. Do you really think if your precious seti@home hadn't come along, nodody else would have tried to create a distributed computing client? Don't fool yourself.

          As for your supposed revelation, I'll believe it when I see it. I think it more likely that we'll all be dead before it produces any results.
          • Oh please. Do you really think if your precious seti@home hadn't come along, nodody else would have tried to create a distributed computing client? Don't fool yourself.

            propably. But the fact is that S@H was first. That alone makes it worthwhile project: for the sole reason of showing that distributed projects of this nature could be done. Whether you like it or not, Folding@home and others owe their existence to Seti@home.

            As for your supposed revelation, I'll believe it when I see it. I think it more l

            • If the SETI project as a whole was going to succeed, it should have succeeded in the first 10-15 years or so. It didn't. The only two likely possibilities for alien life is that it is either everywhere or nowhere. Anything else would mean that the alien life happened to develop at just about the same time that we did, which is exceedingly unlikely. Since we have scanned a statistically significant portion of the sky for signals and found nothing, either the techniques we are trying to use for detection won'
              • Either way, SETI is pretty much useless, and should at the very least take a backseat to other more important scientific projects.


                Let me guess: you personally run one of those "scientifically more important" projects? And like I said, S@H is used on other projects besides hunting aliens. If I recall correctly, Stephen Hawking uses their findings in his Black Hole research.
            • propably. But the fact is that S@H was first. That alone makes it worthwhile project: for the sole reason of showing that distributed projects of this nature could be done. Whether you like it or not, Folding@home and others owe their existence to Seti@home.

              As far as I can tell by looking at the Seti@home history page the project started in October 1998.
              Distributed.net began their first distributed project, the brute force discovery of an RC5-56 bit key, on January 28, 1997.

              So it appears that Seti@ho

      • Well, fundamentally, there's nothing wrong with trying to convince people of something... as long as you're using logic and reason, not emotion or insults. Saying things like "Your project sucks" isn't likely to win me any converts if I want people to run project A instead of project B, but as long as I'm polite about it, there's nothing wrong with it.

        I personally run Folding@Home because I think it will, overall, be more useful than (for example) SETI@Home or PrimeNet. Why? Well, PrimeNet will find lar
    • I've contributed lots of cycles to many DC projects. A little while ago the people from UD and SETI were talking about making one screensaver that allows you to pick and choose what projects you want to contribute to.

      Some of the proposed features were switching to another project after finishing a WU, auto updates, ad hoc teams, simultaneous DC use with custom priority, etc.

      I wonder what ever happened to that idea. It sounded great. It would also give not so famous groups a chance to write their screensa
  • Is my box owned? (Score:3, Interesting)

    by bcrowell ( 177657 ) on Sunday April 06, 2003 @12:11PM (#5673630) Homepage
    Can anyone give any practical advice on how to figure out if your own system has been compromised? No, I don't have any tripwires installed :-(
    • Re:Is my box owned? (Score:2, Informative)

      by arget ( 447057 )
      From the seti site:
      Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge, no SETI@home client has ever been attacked in this manner.

      So it's unlikely you're owned from this. Some general tips to check your box's health:
      On linux, run `lsof -i` as root to see what kind of connections your box is listening for/has established.
      On windows, run `netstat -an` to see much the same.
      As alway
    • by Anonymous Coward on Sunday April 06, 2003 @12:32PM (#5673718)
      I went in and took a look around your system. All the files seem fine. I guess you're okay.
  • I got up this morning and SETI was reporting a fatal error i've never seen before - coincidence?
  • Folding@home (Score:3, Insightful)

    by hoagieslapper ( 593527 ) <hoagieslapper@gmail.com> on Sunday April 06, 2003 @12:19PM (#5673660)
    Does anyone know if this exploit effects folding@home clients? I do not know if they use the same engine or if the '@Home' name is the only thing they have in common.
    • Re:Folding@home (Score:3, Informative)

      by arget ( 447057 )
      Folding and Genome have the same codebase as each other, which is separate and distinct from Seti's.

      They may or may not have similar vulnerabilities, but since none are open source, there's no way for us to know. All the same, I wouldn't worry about Folding or Genome any more because of the seti exploit. I'm still genoming.
  • Whew! (Score:5, Funny)

    by Faust7 ( 314817 ) on Sunday April 06, 2003 @12:21PM (#5673674) Homepage
    Good thing the 20 computers I'm running it on aren't even mine!
  • and just where is Jeff Goldblum when we need him; we could ask him to write up a virus on his Mac and just let it sit there on our hard drives and when the aliens get to that file: BOOM!
  • by rice_burners_suck ( 243660 ) on Sunday April 06, 2003 @01:11PM (#5673865)
    Where do you download the software for warez servers and DoS clients? I know some people who have old DOS programs that they need to run for their business, and they also need a warez server to search for stock quotes online and tell them "ware" they are.
  • Now that we have all these distributed computers running the same software that can be hacked/exploited... we can now stop looking for our Beowulf clusters -- just rewrite...

    nevermind, that was stupid....

  • As I've commented before, I'm intrigued that we have our planetary computer network hooked up to an open port on a radio-telescope. Hoping for a superior alien race to send us e-mail. What if they also have alien computer viruses?

    Gives new meaning to the honeynet concept.
  • timeline (Score:5, Informative)

    by Gaccm ( 80209 ) on Sunday April 06, 2003 @01:37PM (#5673980)
    checkout the "Timeline" in the linked article (I'll repeat it here in case it gets slashdotted)

    2002/12/05 Information leakage discovered.

    2002/12/14 Bufferoverflow in client discovered.
    2002/12/31 Seti@home team contacted through their website http://setiathome.berkeley.edu/help.html.
    2003/01/07 Seti@home team contacted again.
    2003/01/14 Bufferoverflow in server discovered.
    2003/01/21 Seti@home team contacted again, this time through email.
    2003/01/21 Seti@home team confirmed the problem.
    2003/01/25 Seti@home team promissed fixed version are being build.
    2003/02/03 Seti@home team informed me about problems with the fixes for the win32 version.
    2003/04/06 New Seti@home clients available, advisory released.


    This advisory came 4 months late. While I'm glad this person contacted Seti first before releasing the advisory, I cannot believe that it took them two months to fix a bufer overflow! While seti@home isn't a mission critical app, I would think the seti people would want to release a new version very quickly, at the very least so that they know that their personal omputers can't get exploited.

    Bah, forgot about a username.
    • Re:timeline (Score:3, Insightful)

      by John Hasler ( 414242 )
      > This advisory came 4 months late. While I'm glad
      > this person contacted Seti first before releasing
      > the advisory, I cannot believe that it took them
      > two months to fix a bufer overflow!

      Shrug. Closed source: what do you expect?
  • anyone know if there's a new version of the windows command-line client? all i could find is the ancient setiathome-3.03.i386-winnt-cmdline.exe. i tried exploring a couple of the ftp servers with no luck.

    anyone able to locate a newer version or am i stuck running the crappy gui?
  • by Chester K ( 145560 ) on Sunday April 06, 2003 @02:18PM (#5674164) Homepage
    This is the reason employers have problems when their employees run Seti@Home (and indeed, any unauthorized software) on their machines.

    As an IT professional, you talk and talk and talk and talk trying to warn your superiors of the danger of running unnecessary network services -- why you can't just open the firewall wide up to let them use their proprietary stock-tracking application; hell, why you even have a firewall in the first place.

    And then Seti@Home, the ultimate nonessential network service, comes along and validates everything you've been saying. But you're running it anyway, because it's "cool". And now your network is compromised.

    Should have taken your own advice.
  • Public Machines (Score:5, Insightful)

    by mikeage ( 119105 ) <slashdot AT mikeage DOT net> on Sunday April 06, 2003 @02:39PM (#5674282) Homepage
    So... for those people who installed Seti on 100 machines at school/work, are you updating them RIGHT NOW? One guy where I am put Seti on a bunch of cluster machines because, after all, no one else is using them. I certainly hope that he's working unpaid overtime patching his (against the rules) pet project.
  • This exploit really isn't as bad as people here like to make it out to be. In order to perform this buffer overrun, you would have to trick the S@H client to connect to a different server. Short of actually breaking into the host computer of the client, I believe this would prove extremely difficult (anyone know how to do this?).

    And as was mentioned in the advisory, there has been no reported case of this actually being exploited (outside of proof of concept of course, where the discoverer changed the S@
  • I guess the command line versions are uneffected... They are still at version 3.03 AFAIK.

The first Rotarian was the first man to call John the Baptist "Jack." -- H.L. Mencken

Working...