The Ur-Quan Masters Home Page Welcome, Guest. Please login or register.
Did you miss your activation email?
December 09, 2024, 02:29:33 pm
Home Help Search Login Register
News: Celebrating 30 years of Star Control 2 - The Ur-Quan Masters

+  The Ur-Quan Masters Discussion Forum
|-+  The Ur-Quan Masters Re-Release
| |-+  General UQM Discussion (Moderator: Death 999)
| | |-+  Melnorme Security Advisory: Buffer Overflow in Rem
« previous next »
Pages: [1] Print
Author Topic: Melnorme Security Advisory: Buffer Overflow in Rem  (Read 4554 times)
0xDEC0DE
*Many bubbles*
***
Offline Offline

Posts: 175



View Profile WWW
Melnorme Security Advisory: Buffer Overflow in Rem
« on: May 10, 2004, 12:18:00 pm »

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Melnorme Security Advisory: Buffer Overflow in Remote Self-Replicating
Robot Explorer Probes

Revision 1.0

For Public Release 2154 February 19 at 13:00 UTC

- - ---------------------------------------------------------------------------

Contents

   Summary
   Affected Products
   Details
   Impact
   Software Versions and Fixes
   Obtaining Fixed Software
   Workarounds
   Exploitation and Public Announcements
   Status of This Notice
   Revision History

- - ---------------------------------------------------------------------------


Summary
=======

A buffer overflow in the priority settings of the Remote Self-Replicating
Robot Explorer Probes can be exploited locally to gain administrative
privileges on the client system. The vulnerability can be mitigated by
advising customers to not adjust the priorities from their vendor-provided
settings.  2420-series probes are not affected.

The vulnerability has been repaired in version C.  The Melnorme are making
fixed software available for a small fee to affected customers. This
issue is documented as MSSdx39290. The Melnorme are not aware of any
public discussion or active exploitation of this vulnerability.

Affected Products
=================

This vulnerability affects models 2419 and earlier of the Remote
Self-Replicating Robot Explorer Probes

It does not affect the 2420-series Self-Replicating Robot Explorer Probes
No other Melnorme product is affected.

Details
=======

The Remote Self-Replicating Robot Explorer Probes have various tasks
that they can perform when exploring and analyzing data.  Priorities can
be set on behaviours to alter the types of data collected, allowing for
unprecedented flexibility in a hostile universe.

If an overly-large priority is given to a task, a buffer overflow
occurs that overwrites all other priorities on the stack, causing the
probe's behaviour to become erratic.  The contents of the overly-large
priority could be crafted to execute arbitrary instructions. The buffer
overflow can only be exercised by adjusting the priorities directly on
the local system.

In lieu of installing fixed software, the vulnerability can be
mitigated by advising customers to not adjust the priorities from their
vendor-provided settings.  This cannot prevent the buffer overflow from
occurring, but limits the simple range of damage that could occur.

The problem has been resolved by adding better tests for buffer overflows
and by removing unnecessary tasks from the run queue in the software
package as provided.

This vulnerability is documented as MSSdx39290.

Impact
======

The vulnerability could be exploited by a local user to execute arbitrary
instructions. If the affected probe is released with elevated priorites,
the instructions will execute with administrative permissions and could
be used to modify any part of the system without authorization. The
priorities are set by default in the software package as supplied by
the Melnorme.

Software Versions and Fixes
===========================

This vulnerability was found and reported in the Remote Self-Replicating
Robot Explorer Probes 2419, and has been confirmed internally in the 2418
models. It has been repaired in version C for those affected platforms
and is available immediately. All previous versions on the affected
platforms are considered vulnerable. The fixes will be carried forward
into all future versions.

Obtaining Fixed Software
========================

The Melnorme are making fixed software available for a small fee to all
affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on the Melnorme's galactic
website at http://www.star-control.com/.

Customers whose Melnorme products are provided or maintained through
prior or existing agreement with third-party support organizations such
as the Crimson Coporation, authorized resellers, or service providers
should contact that support organization for assistance with the upgrade,
which may be free of charge.

Workarounds
===========

The vulnerability can be mitigated by instructing customers to leave the
default priorities in place, or perhaps not mentioning that the settings
can be changed at all.

Note: The workaround shown above does not prevent the buffer overflow
from occurring. It merely limits the range of the simple damage that
can occur if the overflow is exploited. Traders are urged to upgrade to
fixed versions of the probes as soon as possible.

Exploitation and Public Announcements
=====================================

The Melnorme Security Services are not aware of any malicious exploitation
nor public discussion of this vulnerability.

This issue was reported directly to the Melnorme by Taupe and Sepia of
Melnorme Security Services.

Status of This Notice: FINAL
============================

This is a final notice. Although the Melnorme cannot guarantee the
accuracy of all statements in this notice, all of the facts have been
checked to the best of our ability. The Melnorme do not anticipate
issuing updated versions of this notice unless there is some material
change in the facts. Should there be a significant change in the facts,
the Melnorme may update this notice.

Revision History
================

+---------------------------------------------------------------------+
|Revision 1.0 |2154/02/19 |Initial public release.                    |
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAnx2loCl+QpiavF8RAm4gAJ43MYPVj9ozH2qaQOKqiTZdKxa/lQCcCbfA
0EyU/XY4vls+PbvbUndxgJ4=
=WGDS
-----END PGP SIGNATURE-----
Logged

"I’m not a robot like you. I don’t like having disks crammed into me… unless they’re Oreos, and then only in the mouth."  --Fry
meep-eep
Forum Admin
Enlightened
*****
Offline Offline

Posts: 2847



View Profile
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #1 on: May 10, 2004, 10:18:21 pm »

Nice.
Logged

“When Juffo-Wup is complete
when at last there is no Void, no Non
when the Creators return
then we can finally rest.”
Culture20
Enlightened
*****
Offline Offline

Posts: 917


Thraddash Flower Child


View Profile
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #2 on: May 13, 2004, 04:30:28 am »

When are the Melnorme going to make a general service pack for these security flaws?  I'm tired of applying multiple patches to new probes.  And sending the probes out into hyperspace for the Melnorme to auto-update doesn't help either, because once they're in hyperspace, they start replicating.  Roll Eyes
Logged
Zeep-Eeep
Enlightened
*****
Offline Offline

Gender: Male
Posts: 917


Good Grief


View Profile WWW
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #3 on: May 13, 2004, 07:29:15 am »

Very well done.

Saddly, it seems that this notice was not sent out to the customers. So, if they didn't check for updates/memos, they'd never know.
Stupid, lusers, it seems that these days, any gas bag can get their hands on a probe.
Logged

What sound does a penguin make?
Bobucles
Guest


Email
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #4 on: July 22, 2004, 05:07:34 am »

Quote
Customers whose Melnorme products are provided or maintained through prior or existing agreement with third-party support organizations such as the Crimson Coporation, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which may be free of charge.

But, the Slylandro have no such communication device. They don't have any starships to seek out the Melnorme, and couldn't build one even if they knew how to build the Sa-Matra itself. And no one comes to talk to them anymore. How can they fix their problem, then?  Grin
Logged
Art
Guest


Email
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #5 on: July 31, 2004, 06:24:38 am »

Hee. What's telling about this whole thing is that the Melnorme *are* aware of what's going on with the Slylandro but choose not to intervene directly. Instead they *sell* the *humans* the information they need to warn the Slylandro.

Admittedly the problem isn't that huge since the probes have got that fail-safe self-destruct. Still, you'd think the Melnorme hire tech support people to crawl the galactic nets and advise customers of these issues, as part of the warranty...

(Imagine Microsoft withholding customer information from the FBI and charging millions of dollars before they'll tell them what they know about where the myDoom virus is coming from. It'd be a hoot.)
Logged
zixyer
Zebranky food
*
Offline Offline

Posts: 22


I love YaBB 1G - SP1!


View Profile
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #6 on: July 31, 2004, 11:06:26 am »

When you think about it, this puts the Melnorme on a Druuge-like level -- I mean, the probes are actually killing people, the Melnorme know how to stop them, but don't because it wouldn't be profitable.
Logged
Art
Guest


Email
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #7 on: July 31, 2004, 01:17:04 pm »

Well... there is an argument to be made that even in the case of the probes they didn't do anything directly to cause the disaster, just gave the power to other people... and who would predict that the Slylandro would try to set the slider to 999?

The ethics are indeed murky, but the Melnorme have a point -- if you're gonna be a trader at all there's some point at which you give over responsibility for the stuff you sell to the people you sell it to. I presume the self-destruct code was uniquely programmable by the user, and they didn't have a policy of keeping a company fail-safe because no one would buy it if they did because of security fears (witness the problems Microsoft has controlling Windows exploit viruses because the Fourth Amendment keeps them from force-pushing patches on people, even though they try to get as close to it as they can). And... well... who knows, maybe their resources are incredibly limited and it's more efficient for you to warn the Slylandro than them...
Logged
Bobucles
Guest


Email
Re: Melnorme Security Advisory: Buffer Overflow in
« Reply #8 on: July 31, 2004, 07:32:25 pm »

Well, you forget that in 4 years, the meta-chondron predits the eradication of all life in this sector of the galaxy. It would be a waste of resources to stop a little threat like the probes, when a greater threat like the Khor-Ah are still around. At the very least, the probes could hinder the Khor-Ah assault, at least a little bit.

The melnorme made the probe- it they meet any probes, they can cause the self-destruct sequence. Also, they seem to have set up camp in every huge star system. What if that is where most of the matter is? They could be defending potential probe hives from them.

Or... the Melnorme could be defending the supergiant star systems from the Mycon.

Or... the Melnorme have tons of antimatter at their disposal. Tons and tons and tons and tons. If the **** really hit the fan, they could throw all that antimatter into all those supergiant stars.... and eradicate all life in the Galaxy.  The combined radiation from the super-super novas could have the potential to do that. Heck, that kind of energy could collapse all of hyperspace. Yes, it'd be bad for business, and they may destroy the rainbow worlds as well, but it's better than letting the Khor-Ah spread out everywhere.

But I guess this would be another topic to discuss.
Logged
Pages: [1] Print 
« previous next »
Jump to:  


Login with username, password and session length

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!