8002126 2002-02-14 00:49 +0100 /116 rader/ NGSEC Research Team <labs@ngsec.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-14 19:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20993>
Markerad av 1 person.
Ärende: [NGSEC-2002-1] Ettercap, remote root compromise
------------------------------------------------------------
From: NGSEC Research Team <labs@ngsec.com>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0202140048580.2217-100000@localhost.localdomain>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Next Generation Security Technologies
http://www.ngsec.com
Security Advisory
Title: Ettercap, remote root compromise
ID: NGSEC-2002-1
Application: ettercap 0.6.3.1 and older (http://ettercap.sourceforge.net)
Date: 05/02/2002
Status: Vendor Contacted, new fixed version released.
Platform: Linux on interfaces with MTU > 2000
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-1.txt
Overview:
- ---------
As it is said in ettercap's home page "Ettercap is a multipurpose
sniffer/interceptor/logger for switched LAN". Due to improper use of
the memcpy() function, anyone can crash ettercap and execute code as
root user.
Vulnerabiliy has been confirmed and exploited in ettercap's version
0.6.3.1. Older versions maybe vulnerable too.
This vulnerability only exists on Linux version because on *BSD and
MacOSX ettercap only works on ethernets devices.
Technical description:
- ----------------------
Ettercap is composed of decoders which looks for user, passwords,
communities and stuff alike.
Several decoders (mysql, irc, ...) suffer the following problem:
memcpy(collector, payload, data_to_ettercap->datalen);
Collector is declared as:
u_char collector[MAX_DATA];
Where MAX_DATA is:
#define MAX_DATA 2000
Datalen is the data (after TCP/UDP header) length read from the
interface. So on interfaces where MTU is higher than 2000 you can
exploit ettercap. Since normal ethernets have MTU:1500 this bug can
not be exploited due to unsupported defragmentation in ettercap, but
may be crashed with a forged packet (ip->tot_len > MAX_DATA).
Here are common MTU and interface types:
65535 Hyperchannel
17914 16 Mbit/sec token ring
8166 Token Bus (IEEE 802.4)
4464 4 Mbit/sec token ring (IEEE 802.5)
1500 Ethernet
1500 PPP (typical; can vary widely)
Exploit for this vulnerability can be found at
http://www.ngsec.com/dowloads/exploits/ettercap-x.c
Sample explotation could be also in loopback interfaces: MTU:16436
piscis:~# ettercap -NszC -i lo &
[1] 21887
piscis:~# ./ettercap-x 0 | nc localhost 3306
ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>
Next Generation Security Technologies
http://www.ngsec.com
punt! piscis:~# telnet localhost 36864 Trying 127.0.0.1...
Connected to localhost. Escape character is '^]'. id; uid=0(root)
gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)
Recomendations:
- ---------------
Upgrate to a newer ettercap version.
Run ettercap on a secure environment.
More advisories at: http://www.ngsec.com/advisories/
PGP Key: http://www.ngsec.com/labs.asc
(c)Copyright 2002 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQE8avuLKrwoKcQl8Y4RAuP/AJ986xxVSp4o3t5i6iVd9++KSS1VEwCgj3az
UVogHhRBDxiLcV2VLyYcbrY=
=W1yr
-----END PGP SIGNATURE-----
(8002126) /NGSEC Research Team <labs@ngsec.com>/(Ombruten)