Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10816
HistoryDec 26, 2005 - 12:00 a.m.

Multiple Network-related Vulnerabilities in Electric Sheep

2005-12-2600:00:00
vulners.com
68
JSON

Polytechnic University ISIS Security Advisory PUISIS10212005

                                              http://isis.poly.edu/

~ Application: Electric Sheep v2.6.3
~ Severity: Medium-High
~ Title: Multiple Network-related Vulnerabilities in Electric Sheep
~ Date: October 20, 2005
~ ID: PUISIS10212005

Summary

The lack of an authentication framework for downloaded sheep mpegs, as
well as its dependence on and vulnerabilities in cURL allows an
attacker to send and display arbitrary movie files in the Electric
Sheep client and perform arbitrary local and remote code execution.

Background

"Electric Sheep is a free, open source screen saver run by thousands
of people all over the world. It can be installed on any ordinary PC
or Mac. When these computers "sleep", the screen saver comes on and
the computers communicate with each other by the internet to share
the work of creating morphing abstract animations known as "sheep."
http://electricsheep.org/

Description

By spoofing the DNS entry for sheepserver.net or otherwise redirecting
the Electric Sheep client to a malicious sheep server, it is possible
to force the Electric Sheep client to download and display arbitrary
mpegs due to a lack of authentication of the sheep server and sheep
mpegs. At minimum, a rogue sheep server would need to respond to the
Electric Sheep client with list.gz, a list of sheep available for
download, and the referenced mpegs. To properly display the mpegs, they
need to contain special footer information which can be found at the
bottom of any pre-existing Electric Sheep mpegs.

Electric sheep uses cURL internally for interaction with the Electric
Sheep server. Two recent vulnerabilities in cURL can be exploited
through malicious interaction with the Electric Sheep client.

As in the previous vulnerability, spoofing the DNS entry of
sheepserver.net or otherwise redirecting the Electric Sheep client
to a malicious sheep server and replacing it with an appropriate HTTP
30x response can allow remote code execution through cURL due to an
NTLM buffer overflow vulnerability [1,2].

Calling the Electric Sheep client by command line, configuration file,
or otherwise with a malicious sheep server URL allows local code
execution through cURL due to a URL buffer overflow vulnerability.
In addition, by redirecting the Electric Sheep client to a rogue sheep
server and supplying a list of maliciously formatted URLs it is
possible to exploit the same cURL URL buffer overflow vulnerability
remotely. This is possible because the Electric Sheep client makes
direct system calls to the vulnerable cURL application from network
supplied input [3,4].

Impact

Spoofing the DNS entry for sheepserver.net or otherwise redirecting
the Electric Sheep client to a rogue sheep server, it is possible to
remotely control the video displayed or remotely execute code on all
Electric Sheep clients affected by such a redirection. Local code
execution is also possible due to a cURL vulnerability.

Workaround

The vendor was notified on November 18, 2005. The vendor was extremely
responsive and cooperative in regards to these security issues. All
issues are fixed in the CVS HEAD of Electric Sheep client development
and will be included in the next release.

References

[ 1 ] libcurl NTLM Buffer Overflow Vulnerability
http://curl.haxx.se/docs/adv_20051013.html

[ 2 ] CVE-2005-3185
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185

[ 3 ] libcurl URL Buffer Overflow Vulnerability
http://curl.haxx.se/docs/adv_20051207.html

[ 4 ] CVE-2005-4077
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077

About

The Information Systems and Internet Security (ISIS) Laboratory is an
NSF funded laboratory designed to facilitate hands-on experimentation
and project work in issues related to information security. It provides
the focus for multidisciplinary research and education in emerging
areas of security. Polytechnic University, an NSA Center of Academic
Excellence in Information Assurance Education, houses the lab.

These vulnerabilities were discovered during coursework performed for
"Penetration Testing & Vulnerability Analysis" offered at Polytechnic
University (http://www.poly.edu) during the Fall 2005 semester.

License

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5

Authors

Daniel Guido [email protected]
Michael Aiello http://www.michaelaiello.com/

Related

openvas 18
nessus 27
debian 4
osv 1
securityvulns 2
centos 5
slackware 1
gentoo 3
ubuntu 2
ubuntucve 2
redhat 3
cve 2
freebsd 1
debiancve 2
f5 2
veracode 1
openvas
openvas
Debian Security Advisory DSA 919-1 (curl)
2008-01-17 00:00:00
Debian Security Advisory DSA 919-1 (curl)
2008-01-17 00:00:00
Debian: Security Advisory (DSA-919-2)
2008-01-17 00:00:00
nessus
nessus
Debian DSA-919-2 : curl - buffer overflow
2006-10-14 00:00:00
Fedora Core 4 : curl-7.13.1-4.fc4 (2005-1129)
2005-12-11 00:00:00
RHEL 2.1 / 3 / 4 : wget (RHSA-2005:812)
2005-11-04 00:00:00
debian
debian
[SECURITY] [DSA 919-1] New curl packages fix potential security problem
2005-12-12 13:03:48
[SECURITY] [DSA 919-1] New curl packages fix potential security problem
2005-12-12 13:03:48
[SECURITY] [DSA 919-2] New curl packages fix potential security problem
2006-03-10 10:04:53
osv
osv
curl - buffer overflow
2005-12-12 00:00:00
securityvulns
securityvulns
[ GLSA 200603-25 ] OpenOffice.org: Heap overflow in included libcurl
2006-03-28 00:00:00
[Full-disclosure] iDEFENSE Security Advisory 10.13.05: Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability
2005-10-13 00:00:00
centos
centos
curl security update
2005-12-21 02:50:35
wget security update
2005-11-03 05:22:50
wget security update
2005-11-02 17:08:39
slackware
slackware
curl/wget
2005-11-06 13:02:36
gentoo
gentoo
OpenOffice.org: Heap overflow in included libcurl
2006-03-27 00:00:00
cURL: NTLM username stack overflow
2005-10-22 00:00:00
cURL: Off-by-one errors in URL handling
2005-12-16 00:00:00
ubuntu
ubuntu
curl library vulnerability
2005-12-13 00:00:00
Curl and wget vulnerabilities
2005-10-14 00:00:00
ubuntucve
ubuntucve
CVE-2005-4077
2005-12-08 00:00:00
CVE-2005-3185
2005-10-13 00:00:00
redhat
redhat
(RHSA-2005:875) curl security update
2005-12-20 00:00:00
(RHSA-2005:812) wget security update
2005-11-02 00:00:00
(RHSA-2005:807) curl security update
2005-11-02 00:00:00
cve
cve
CVE-2005-4077
2005-12-08 01:03:00
CVE-2005-3185
2005-10-13 22:02:00
freebsd
freebsd
curl -- URL buffer overflow vulnerability
2005-12-07 00:00:00
debiancve
debiancve
CVE-2005-4077
2005-12-08 01:03:00
CVE-2005-3185
2005-10-13 22:02:00
f5
f5
SOL5868 - Buffer overflow vulnerability in cURL - CVE-2005-4077
2007-05-16 00:00:00
K5868 : Buffer overflow vulnerability in cURL - CVE-2005-4077
2013-03-27 00:00:00
veracode
veracode
Arbitrary Code Execution
2020-04-10 00:10:48
JSON
Related for SECURITYVULNS:DOC:10816
openvas18nessus27debian4osv1securityvulns2centos5slackware1gentoo3ubuntu2ubuntucve2redhat3cve2freebsd1debiancve2f52veracode1