Hacking NASA: One small step for man, one giant leap for hackers?
Summary: The CORE Security Team released an advisory to the Full-Disclosure mailing list today that documented a stack overflow in NASA's Common Data Format libs.Looking at this bug, the tech details aren't overwhelming, I think I'm mostly excited about it due to the high profile of hacking NASA libs.
The CORE Security Team released an advisory to the Full-Disclosure mailing list today that documented a stack overflow in NASA's Common Data Format libs.
Looking at this bug, the tech details aren't overwhelming, I think I'm mostly excited about it due to the high profile of hacking NASA libs. One can hardly fault NASA though, I mean, our government can't even get them enough money to do some real space exploration, it's hard to fault them for missing some security issues.
I'll leave the technical details to CORE's advisory, as they have a great description:
The libraries for the scientific data file format, Common Data Format (CDF) http://cdf.gsfc.nasa.gov/ version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing.
The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties).
CDF 3.2.1 addresses this vulnerability and introduces further usability fixes http://cdf.gsfc.nasa.gov/. Updates for Perl, IDL, Matlab and Java WebStart are also available. Java WebStart applications that refer to http://sscweb.gsfc.nasa.gov/skteditor/cdf/cdf-latest.jnlp, will automatically be updated to include this fix the next time the application is started while connected to the Internet.
...Exploitation of the CDF overflow problem requires the user to explicitly open a specially crafted file. The user should refrain from opening files from untrusted third parties or accessing untrusted Web sites until the patch is applied.
Wow, what can I say, great work by the CORE team, on an interesting target.
-Nate
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
duhhhh
So they found a vulnerability... wow...
Now, please define "Great work"...
Yeah, find a vuln, then tell me duhhhh
Do some vulnerability research, then let's hear you say duh. It's a lot of work, people should be commended when they find something and report it responsibly. I think it's easy for people involved in security at a base level to knock something like this. Running Nessus is not the same as what Core did here my friend.
This particular flaw was interesting to me because it had to do with a NASA created lib. So, to define "Great Work", it's like a pat on the back, thanks for doing a good job and responsibly disclosing something to an underfunded government sponsored program.
-Nate
Ouch....
Haha
Amen, Brother!
Kudos to NASA for finding and disclosing vulnerabilities in their code!
Actually...
President Bush is probably the best thing to happen to the Space Program in a long time, with his desire to go back to the moon, and eventually to Mars, it's just a shame he can't get anything through Congress. I hate to think about how many budget expansions for NASA ended up on the "cutting room floor" because of Congress's blind desire to kill everything he tries to do.
As a result, of course, rather than building a new Space Shuttle, we're making what are basically glorified Apollo Capsules, in a painful reversal of technological advancement that makes me ashamed of how backwards the priorities of our government are, more concerned with hindering the President and forwarding their own political agendas than with the advancement and betterment of the human race.
Indeed
I had the same thought when I first heard about the new "Crew Exploration Vehicle", and I could not agree more with your words.
A CEV aka "Capsule"? WTF? Who the hell thought this thing up??? This is progress? The Russians have been using capsules for DECADES. How the hell is this progress?
Oh, sure, the "new" capsule can carry twice as many astronauts as the original Apollo craft.
Whoop-de-frigging-do.
Those in power don't seem to understand: To ensure our survival, we have GOT to get off this planet before another KT event comes along, or an Islamic nutjob lets loose a doomsday virus and poof! we're all gone.
We need a moon base. We must have colonies on Mars and the moons of the outer planets.
Otherwise... all it takes is one rock.
Maya: it all ends December 21, 2012
Asteroid Impact?
Yellowstone's Super Volcano?
Edgar Casey's Continental Shift?
Hugh Auchincloss Brown's Catastropic Pole Shift?
??
I sometimes muse that's when the Mother Ship will be back to pick up their people which we knew as the Maya (and of course killed off). Oooh will they be pisssed when no one is there to greet them but a handful of tourists from New Jersey!
Keep watching the skys...
Terry Thomas
Atlanta, Georgia USA
www.TerryThomasPhotos.com
HA! My thoughts almost to a tee!...
If nothing happens I can happily call all of them charlatans, and go back to the original bibilical thought that no one will ever accurately predict the end of the world.
AMEN! - 'nuf said nt
I concur....(NT)
Yes, they need support
RE: Hacking NASA: One small step for man, one giant leap for hackers?
-S
Yeah, there's your faster-better-cheaper...
How to aquire budget for NASA
If Fail then Tag * as <Counter Terrorism Measure>
If Fail then Enlist corporate and public funding and Tag * as <Environmental Research>
If Fail then launch P2P app from space be sued by MPAA and RIAA, counter sue for abusive tactics
If Fail then proclaim the terrorist won and close shop.
RE: Hacking NASA: One small step for man, one giant leap for hackers?
At one point in my life I truly thought I would become a part of NASA, but due to the lack of funding, the space program lost steam and it became less interesting to me. It's unfortunate, truly.
-Nate
Kind of like Star Trek
I would like to see interest in NASA take off again, (No Pun Intended.)
NASA actually still has a lot going on
Surely, but...
Now we're still trying to get to the moon...
I still say Sally Ride was right...