1 |
- -------------------------------------------------------------------------- |
2 |
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT |
3 |
- -------------------------------------------------------------------------- |
4 |
|
5 |
PACKAGE :ettercap |
6 |
SUMMARY :Ettercap, remote root compromise |
7 |
DATE :2002-02-14 21:42:00 |
8 |
|
9 |
- -------------------------------------------------------------------------- |
10 |
|
11 |
OVERVIEW |
12 |
|
13 |
As it is said on ettercap's home page "Ettercap is a multipurpose |
14 |
sniffer/interceptor/logger for switched LAN". Due to improper use of the |
15 |
memcpy() function, anyone can crash ettercap and execute code as root |
16 |
user. |
17 |
|
18 |
Vulnerabillity has been confirmed and exploited in ettercap's version |
19 |
0.6.3.1. Older versions maybe vulnerable too. |
20 |
|
21 |
|
22 |
DETAIL |
23 |
|
24 |
Ettercap is composed of decoders which looks for user, passwords, |
25 |
communities and stuff alike. |
26 |
|
27 |
Several decoders (mysql, irc, ...) suffer the following problem: |
28 |
|
29 |
memcpy(collector, payload, data_to_ettercap->datalen); |
30 |
|
31 |
Collector is declared as: |
32 |
|
33 |
u_char collector[MAX_DATA]; |
34 |
|
35 |
Where MAX_DATA is: |
36 |
|
37 |
#define MAX_DATA 2000 |
38 |
|
39 |
Datalen is the data (after TCP/UDP header) length read from the interface. |
40 |
So on interfaces where MTU is higher than 2000 you can exploit ettercap. |
41 |
Since normal ethernets have MTU:1500 this bug can not be exploited due to |
42 |
unsupported defragmentation in ettercap, but may be crashed with a forged |
43 |
packet (ip->tot_len > MAX_DATA). |
44 |
|
45 |
Here are common MTU and interface types: |
46 |
|
47 |
65535 Hyperchannel |
48 |
17914 16 Mbit/sec token ring |
49 |
8166 Token Bus (IEEE 802.4) |
50 |
4464 4 Mbit/sec token ring (IEEE 802.5) |
51 |
1500 Ethernet |
52 |
1500 PPP (typical; can vary widely) |
53 |
|
54 |
Sample explotation could be also in loopback interfaces: MTU:16436 |
55 |
|
56 |
piscis:~# ettercap -NszC -i lo & |
57 |
[1] 21887 |
58 |
piscis:~# ./ettercap-x 0 | nc localhost 3306 |
59 |
ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@×××××.com> |
60 |
Next Generation Security Technologies |
61 |
http://www.ngsec.com |
62 |
|
63 |
punt! |
64 |
piscis:~# telnet localhost 36864 |
65 |
Trying 127.0.0.1... |
66 |
Connected to localhost. |
67 |
Escape character is '^]'. |
68 |
id; |
69 |
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel) |
70 |
|
71 |
|
72 |
SOLUTION |
73 |
|
74 |
|
75 |
It is recommended that all ettercap users apply the update |
76 |
|
77 |
Portage Auto: |
78 |
|
79 |
emerge rsync |
80 |
emerge update |
81 |
emerge update --world |
82 |
|
83 |
|
84 |
Portage by hand: |
85 |
|
86 |
emerge rsync |
87 |
emerge net-analyzer/ettercap |
88 |
|
89 |
Manually: |
90 |
|
91 |
Download the new ettercap package here and follow in file instructions: |
92 |
http://ettercap.sourceforge.net/download/ettercap-0.6.4.tar.gz |
93 |
|
94 |
|
95 |
- -------------------------------------------------------------------------- |
96 |
Ferry Meyndert |
97 |
m0rpheus@g.o |
98 |
- -------------------------------------------------------------------------- |