-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While it may seem rather obvious, this was not an iDEFENSE advisory. gobbles@husmail.com is not an employee, contractor, contributor, nor representative of iDEFENSE in any way. All legitimate iDEFENSE advisories are located at http://www.idefense.com/advisory and are properly PGP signed when sent over email. Thanks, - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com > -----Original Message----- > From: gobbles@hushmail.com [mailto:gobbles@hushmail.com] > Sent: Thursday, December 12, 2002 6:27 PM > To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com; > vulnwatch@vulnwatch.org; submissions@packetstormsecurity.org; > str@cannibus.dataforce.net; vuln-dev@securityfocus.com; > shok@camel.ethereal.net > Subject: iDefense Security Advisory > > > > -----BEGIN PGP SIGNED MESSAGE----- > > iDEFENSE Security Advisory 12.13.02: > http://www.idefense.com/advisory/12.13.02.txt > Bufferoverflow in 0verkill Server > December 13, 2002 > > I. BACKGROUND > > 0verkill is a client-server 2d deathmatch-like game in ASCII art. > It supports free connecting/disconnecting during the game, and > runs well on > modem lines. Graphics are in 16-color ASCII art with elaborate > hero animations. 0verkill features 4 different weapons, grenades, > invisibility, > and armor. The package also contains reaperbot clients, a > simple graphics > editor, and a level editor. The server portion of 0verkill > listens on an > UDP port (6666 by default). > > > II. DESCRIPTION > > Remote explotation of a buffer overflow within the 0verkill > server source > could allow a remote attacker to gain the privilages of > whichever user the > process is running as. Since there are no authentication > measures built > into the game, this problem can be considered to be PREAUTH*. > This is a > very serious vulnerability and should be taken seriously. > > The following is a snapshot of the exploit in action. > > deraadt@zeus.theos.com:~$ ./0verkillflow -t 5 -h 192.168.0.1 > -o l -p 6666 > Attacking host 192.168.0.1 (Linux 2.4.20-grsec). > *GOBBLE* > id; uname -a > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > Linux spender 2.4.20 #1 Sat Dec 7 13:44:54 EST 2002 i686 unknown > ^C > > deraadt@zeus.theos.com:~$ su - > Password: > root@zeus.theos.com:~# rm -rf /& > > > III. ANALYSIS > > Remote attackers can use this exploit to gain unauthorized > access to your > corporate network if you do not immediately upgrade to the > latest version of > 0verkill. We have seen evidence of this being exploited in > the wild, and > suggest that ISS and Securityfocus increase the ARIS > Threatcon to at least 7. > > Most of our clients have probably already been compromised by > this exploit of > ours, and those who were not running the daemon as root were > probably later > rooted locally by bugs in **Abuse that the author refuses to patch. > > Since this exploit exists in the wild, we will soon send our > IDS signatures > to Max Vision and Martin Roesch so that they may update their > IDS systems to > detect this version of the attack, and this exploit > specifically. Please > keep in mind that these signatures will not be sufficient for > other versions > of the exploit, and that you may need to upgrade your IDS to a > better mechanism that is capable of detecting more than specific > versions of an > attack. > > > IV. DETECTION > > To detect whether or not you are running a vulnerable version > of the 0verkill > server or not, we suggest that you take the md5sum of the > binary. For example: > > root@zeus.theos.com:/usr/src/0verkill-0.16# md5sum server > 0f210947eec2ead10e00069896d2f4bb server > > If your server binary has the same checksum as our binary, > here at iDefense > Labs, you are vulnerable to this attack and must immediately > upgrade your > service to the latest version. We're currently attempting to > devise a more > reliable method to verify whether or not an executable is > vulnerable or not, > but our research scientists are at this time stumped. > > The IDS experts from Sourcefire, ISS, and NFR are currently > studying this > vulnerability and are developing exploits for it, so that > they might understand > all possible methods of exploitation, and accordingly create > the proper dynamic > rules to help you detect all variations of this bug being > exploited, instead of > a single version which ultimately won't help anything. Once > this has been done, you can replay your network traffic > through your sensors and watch to see if this has been > exploited on your network yet or not. > > > V. VENDOR FIX > > We have not been able to contact any of the developers for > the software, and at this time there is no fix for the problem. > > > VI. CVE INFORMATION > > We have received information from Brian McWilliams which > links MITRE to the > Al Quada terrorist network, and for this reason we will no > longer participate > in any MITRE sponsored programs. > > > VII. DISCLOSURE TIMELINE > > 11/20/2002 Issue disclosed to iDEFENSE > 12/08/2002 Maintainer, Brain (brain@artax.karlin.mff.cuni.cz), > and NetBSD Security Officer > (security-officer@netbsd.org) > notified. > 12/09/2002 Contacted CERT (cert@cert.org) about the matter. > 12/10/2002 Attempted to contact CERT again for assistance > with contacting > the authors of 0verkill. > 12/11/2002 iDEFENSE clients notified > 12/12/2002 Coordinated public disclosure > > VIII. CREDIT > > GOBBLES (GOBBLES@hushmail.com) discovered this vulnerability. > > *By PREAUTH, we mean pre-authentication. > **Please read our previous advisory on Abuse, which can be found > here: http://www.idefense.com/advisory/11.01.02.txt > > " Life without CERT is like the Chocolate Factory without > Charlie :-( " -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPfkxxkrdNYRLCswqEQKEEwCg5SglpcAEpH8sWVV435jVWO1sqi0AoPRF 71oUnPD15dVap17hzCeHrQr3 =UGXc -----END PGP SIGNATURE-----
