SETI Users - Please read and update.

Discussion in 'other security issues & news' started by spy1, Apr 7, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities: All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on. There is a buffer overflow in the server responds handler. Sending an overly large string followed by a newline (' ') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form. A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a ' '....

    A patched version has been released:

    http://setiathome.berkeley.edu/download.html

    I have to wonder if all the "shared computing" programs out there (the ones for cancer research, the shared genome project, etc.) currently suffer from the same (or similar) vulnerabilities. Pete
     
  2. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    mmmm I wonder if ETs are into hackin :)
     
  3. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    LOL!!! :D

    ET 0wnz j00
     
Loading...
Thread Status:
Not open for further replies.