Hacking NASA: One small step for man, one giant leap for hackers?

Hacking NASA: One small step for man, one giant leap for hackers?

Summary: The CORE Security Team released an advisory to the Full-Disclosure mailing list today that documented a stack overflow in NASA's Common Data Format libs.Looking at this bug, the tech details aren't overwhelming, I think I'm mostly excited about it due to the high profile of hacking NASA libs.

SHARE:

NASAThe CORE Security Team released an advisory to the Full-Disclosure mailing list today that documented a stack overflow in NASA's Common Data Format libs.

Looking at this bug, the tech details aren't overwhelming, I think I'm mostly excited about it due to the high profile of hacking NASA libs.  One can hardly fault NASA though, I mean, our government can't even get them enough money to do some real space exploration, it's hard to fault them for missing some security issues.

I'll leave the technical details to CORE's advisory, as they have a great description:

The libraries for the scientific data file format, Common Data Format (CDF) http://cdf.gsfc.nasa.gov/ version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing.

The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties).

CDF 3.2.1 addresses this vulnerability and introduces further usability fixes http://cdf.gsfc.nasa.gov/. Updates for Perl, IDL, Matlab and Java WebStart are also available. Java WebStart applications that refer to http://sscweb.gsfc.nasa.gov/skteditor/cdf/cdf-latest.jnlp, will automatically be updated to include this fix the next time the application is started while connected to the Internet.

...Exploitation of the CDF overflow problem requires the user to explicitly open a specially crafted file. The user should refrain from opening files from untrusted third parties or accessing untrusted Web sites until the patch is applied.

Wow, what can I say, great work by the CORE team, on an interesting target.

-Nate

Topics: Nasa / Space, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • duhhhh

    "great work by the CORE team...."

    So they found a vulnerability... wow...

    Now, please define "Great work"...
    phamiltonsmith
    • Yeah, find a vuln, then tell me duhhhh

      Phamiltonsmith...

      Do some vulnerability research, then let's hear you say duh. It's a lot of work, people should be commended when they find something and report it responsibly. I think it's easy for people involved in security at a base level to knock something like this. Running Nessus is not the same as what Core did here my friend.

      This particular flaw was interesting to me because it had to do with a NASA created lib. So, to define "Great Work", it's like a pat on the back, thanks for doing a good job and responsibly disclosing something to an underfunded government sponsored program.

      -Nate
      nmcfeters
  • Ouch....

    "Crash" and "NASA"... two words you never want to see in the same article.
    Hallowed are the Ori
    • Haha

      Yeah, it's a rough one. Wish our government did more to support NASA.
      nmcfeters
      • Amen, Brother!

        I've been addicted to the space program since the sixties - my true heroes/heroines are the people who have given their lives furthering space exploration. Whatever problems NASA has had in the past and will have in the future, they are still responsible for some of the most exciting research going on today. I would love to see some of the money that's being spent on war going to NASA...

        Kudos to NASA for finding and disclosing vulnerabilities in their code!
        Lizzie_B
        • Actually...

          It's not the war that's costing all the money, it's stuff like Congress giving themselves a paid vacation while there's work to be done. Corruption, money leaking into the pockets of the elite, and money wasted on silly, overly complex government programs.

          President Bush is probably the best thing to happen to the Space Program in a long time, with his desire to go back to the moon, and eventually to Mars, it's just a shame he can't get anything through Congress. I hate to think about how many budget expansions for NASA ended up on the "cutting room floor" because of Congress's blind desire to kill everything he tries to do.

          As a result, of course, rather than building a new Space Shuttle, we're making what are basically glorified Apollo Capsules, in a painful reversal of technological advancement that makes me ashamed of how backwards the priorities of our government are, more concerned with hindering the President and forwarding their own political agendas than with the advancement and betterment of the human race.
          spyro17
          • Indeed

            [i]As a result, of course, rather than building a new Space Shuttle, we're making what are basically glorified Apollo Capsules, in a painful reversal of technological advancement that makes me ashamed [/i]

            I had the same thought when I first heard about the new "Crew Exploration Vehicle", and I could not agree more with your words.

            A CEV aka "Capsule"? WTF? Who the hell thought this thing up??? This is progress? The Russians have been using capsules for DECADES. How the hell is this progress?

            Oh, sure, the "new" capsule can carry twice as many astronauts as the original Apollo craft.

            Whoop-de-frigging-do.

            Those in power don't seem to understand: To ensure our survival, we have GOT to get off this planet before another KT event comes along, or an Islamic nutjob lets loose a doomsday virus and poof! we're all gone.

            We need a moon base. We must have colonies on Mars and the moons of the outer planets.

            Otherwise... all it takes is one rock.
            Hallowed are the Ori
          • Maya: it all ends December 21, 2012

            That's when the ancient Mayans said it all comes to an end.

            Asteroid Impact?
            Yellowstone's Super Volcano?
            Edgar Casey's Continental Shift?
            Hugh Auchincloss Brown's Catastropic Pole Shift?
            ??

            I sometimes muse that's when the Mother Ship will be back to pick up their people which we knew as the Maya (and of course killed off). Oooh will they be pisssed when no one is there to greet them but a handful of tourists from New Jersey!

            Keep watching the skys...

            Terry Thomas
            Atlanta, Georgia USA
            www.TerryThomasPhotos.com
            AtlantaTerry
          • HA! My thoughts almost to a tee!...

            So many prophets/cultures point to this date, it will be an interesting time!

            If nothing happens I can happily call all of them charlatans, and go back to the original bibilical thought that no one will ever accurately predict the end of the world.
            JCitizen
      • AMEN! - 'nuf said nt

        nt
        TheBottomLineIsAllThatMatters
      • I concur....(NT)

        nt
        JCitizen
      • Yes, they need support

        I hope that the decision-making culture at NASA is improving as well.
        seanferd
  • RE: Hacking NASA: One small step for man, one giant leap for hackers?

    basically this is due to outsourcing I think. when it was all in house and completely government controlled we were good. But things are different thanks to the aerospace dip in the 70's and 80's. We should have had a replacement for the shuttle by now, but no not enough money. don't sorry Burt Rutan and his team of geniuses will get us there!
    -S
    seannj427
    • Yeah, there's your faster-better-cheaper...

      and it actually works!
      JCitizen
  • How to aquire budget for NASA

    Tag * as <Military Application>

    If Fail then Tag * as <Counter Terrorism Measure>

    If Fail then Enlist corporate and public funding and Tag * as <Environmental Research>

    If Fail then launch P2P app from space be sued by MPAA and RIAA, counter sue for abusive tactics

    If Fail then proclaim the terrorist won and close shop.
    nucrash
  • RE: Hacking NASA: One small step for man, one giant leap for hackers?

    Actually it was CORE that found it and reported it to NASA, but Kudos to NASA for getting it fixed.

    At one point in my life I truly thought I would become a part of NASA, but due to the lack of funding, the space program lost steam and it became less interesting to me. It's unfortunate, truly.

    -Nate
    nmcfeters
    • Kind of like Star Trek

      It was really cool when it had money, but with lack of creativity, it became pretty boring quickly.

      I would like to see interest in NASA take off again, (No Pun Intended.)
      nucrash
      • NASA actually still has a lot going on

        You probably won't see it in the newspapers, though.
        seanferd
        • Surely, but...

          we need some programs that will re-install the national pride in the program. I can remember being a kid and watching the Challenger mission, and other missions... some failed, and those were great losses, but still, a great sense of pride in the program seemed to be present.

          Now we're still trying to get to the moon...
          nmcfeters
          • I still say Sally Ride was right...

            we need to go back to the moon before we take the next big step; besides - with all the Helium 3 on the moon we might be able to solve our energy crises in one fell swoop!
            JCitizen