Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-announce
Navigation:
Lists: gentoo-announce: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-announce@g.o
From: Ferry Meyndert <m0rpheus@g.o>
Subject: [GLSA] New Ettercap version too fix remote root compromise
Date: Thu, 14 Feb 2002 21:55:15 +0100
- --------------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE        :ettercap
SUMMARY        :Ettercap, remote root compromise
DATE           :2002-02-14 21:42:00

- --------------------------------------------------------------------------

OVERVIEW

 As it is said on ettercap's home page "Ettercap is a multipurpose
 sniffer/interceptor/logger for switched LAN". Due to improper use of the
 memcpy() function, anyone can crash ettercap and execute code as root
 user.

 Vulnerabillity has been confirmed and exploited in ettercap's version
 0.6.3.1. Older versions maybe vulnerable too.


DETAIL

 Ettercap is composed of decoders which looks for user, passwords,
 communities and stuff alike.
 
 Several decoders (mysql, irc, ...) suffer the following problem:

    memcpy(collector, payload, data_to_ettercap->datalen);

 Collector is declared as:

     u_char collector[MAX_DATA];

 Where MAX_DATA is:

   #define MAX_DATA 2000

 Datalen is the data (after TCP/UDP header) length read from the interface.
 So on interfaces where MTU is higher than 2000 you can exploit ettercap.
 Since normal ethernets have MTU:1500 this bug can not be exploited due to
 unsupported defragmentation in ettercap, but may be crashed with a forged
 packet (ip->tot_len > MAX_DATA).

 Here are common MTU and interface types:

     65535 Hyperchannel
     17914 16 Mbit/sec token ring
     8166  Token Bus (IEEE 802.4)
     4464  4 Mbit/sec token ring (IEEE 802.5)
     1500  Ethernet
     1500  PPP (typical; can vary widely)

 Sample explotation could be also in loopback interfaces: MTU:16436

  piscis:~# ettercap -NszC -i lo &
  [1] 21887
  piscis:~# ./ettercap-x 0 | nc localhost 3306
  ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@...>
  Next Generation Security Technologies
  http://www.ngsec.com

  punt!
  piscis:~# telnet localhost 36864
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  id;
  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)


SOLUTION

 
 It is recommended that all ettercap users apply the update

 Portage Auto:

 emerge rsync
 emerge update
 emerge update --world


 Portage by hand:

 emerge rsync
 emerge net-analyzer/ettercap

 Manually:

 Download the new ettercap package here and follow in file instructions:
 http://ettercap.sourceforge.net/download/ettercap-0.6.4.tar.gz


- --------------------------------------------------------------------------
Ferry Meyndert
m0rpheus@g.o
- --------------------------------------------------------------------------







Navigation:
Lists: gentoo-announce: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
linux-sources-2.4.17-r4 released
Next by thread:
linux-sources-2.4.17-r5 released
Previous by date:
linux-sources-2.4.17-r4 released
Next by date:
linux-sources-2.4.17-r5 released


Updated Jun 17, 2009

Summary: Archive of the gentoo-announce mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.