eh il seti rullera' pure bene, ma hai letto tutti i problemi legati alla sicurezza che comporta? un overflow del buffer non è mai cosa simpatica sopratutto di questo tipo:
Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:
1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.
1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.
2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.
3) Exploitation of the bug in the server has offcourse not been tested. Do understand that successfull exploitation of the bug in the server would offer a platform from which ALL seti@home clients can be exploited.
Is available for linux by yours truely
Is available for linux/*BSD by Zillion
ehm ti fidi?