COMMAND
	seti@home  client  &  server  Information   leakage   and   remotely
	exploitable buffer overflow
SYSTEMS AFFECTED
	 Confirmed information leaking:
	    This issue affects all clients.
	 Confirmed remote exploitable:
	   setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
	   setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
	   setiathome-3.03.i386-pc-linux-gnulibc1-static
	   setiathome-3.03.i686-pc-linux-gnulibc1-static
	   setiathome-3.03.i386-winnt-cmdline.exe
	   i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
	   [email protected] (v3.07 Screensaver)
	 Confirmed DoS-able using buffer overflow:
	   The main seti@home server at shserver2.ssl.berkeley.edu
	 Presumed vulnerable to buffer overflow:
	   All other clients.
PROBLEM
	Berend-Jan Wever [http://spoor12.edup.tudelft.nl/] found following  bug,
	on widely used seti@home clients, as on server:
	There are currently over four million  registered  users  of  seti@home.
	Over half a million of these users are "active"; they have  returned  at
	least one result within the last four weeks.
	The seti@home clients use the HTTP protocol to download  new  workunits,
	user information and to register new users.  The  implementation  leaves
	two security vulnerabilities:
	1) All information  is  send  in  plaintext  across  the  network.  This
	information includes the processor type and the operating system of  the
	machine seti@home is running on.
	2) There is a bufferoverflow in the server responds handler. Sending  an
	overly large string followed  by  a  newline  ('\n')  character  to  the
	client will trigger this overflow. This has  been  tested  with  various
	versions of the client. All versions are presumed to have this  flaw  in
	some form.
	3) A similar buffer overflow seems to affect the main  seti@home  server
	at shserver2.ssl.berkeley.edu. It closes the connection after  receiving
	a too large string of bytes followed by a '\n'.
	 THE TECHNIQUE
	 =============
	1) Sniffing the information exposed by the seti@home client  is  trivial
	and very usefull to a malicious person planning an attack on a  network.
	A passive  scan  of  machines  on  a  network  can  be  made  using  any
	packetsniffer to grab the information from the network.
	2) All tested clients  have  similar  buffer  overflows,  which  allowed
	setting eip to an arbitrairy value which can  lead  to  arbitrairy  code
	execution. An attacker would have to reroute the connection  the  client
	tries to make to  the  seti@home  webserver  to  a  machine  he  or  she
	controls. This can be  done  using  various  widely  available  spoofing
	tools. Seti@home also has the ability to use a HTTP-proxy,  an  attacker
	could also use the machine the PROXY runs on as a base for this  attack.
	Routers can also be used as a base for this attack.
	3) Exploitation of the bug in the server has offcourse not been  tested.
	Do understand that successfull exploitation of the  bug  in  the  server
	would  offer  a  platform  from  which  ALL  seti@home  clients  can  be
	exploited.
	 Exploits
	 ========
	Berend-Jan Wever released linux exploit, and Zillion linux/*BSD one.
	 Linux : http://spoor12.edup.tudelft.nl/spaceinvaders.tbz2
	 Linux/*BSD : http://www.safemode.org/files/zillion/exploits/seti-exploit.c
	 THANKS
	 ======
	Special thanks go out to:
	 - Aleph1 for "Smashing the Stack for Fun and Profit".
	 - Niels Heinen for his work on exploiting seti@home on FreeBSD.
	 - Blazde and the other 0dd folks for help with the win32 shellcode.
SOLUTION
	Upgrade asap to latest version