Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
- --------------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE :ettercap
SUMMARY :Ettercap, remote root compromise
DATE :2002-02-14 21:42:00
- --------------------------------------------------------------------------
OVERVIEW
As it is said on ettercap's home page "Ettercap is a multipurpose
sniffer/interceptor/logger for switched LAN". Due to improper use of the
memcpy() function, anyone can crash ettercap and execute code as root
user.
Vulnerabillity has been confirmed and exploited in ettercap's version
0.6.3.1. Older versions maybe vulnerable too.
DETAIL
Ettercap is composed of decoders which looks for user, passwords,
communities and stuff alike.
Several decoders (mysql, irc, ...) suffer the following problem:
memcpy(collector, payload, data_to_ettercap->datalen);
Collector is declared as:
u_char collector[MAX_DATA];
Where MAX_DATA is:
#define MAX_DATA 2000
Datalen is the data (after TCP/UDP header) length read from the interface.
So on interfaces where MTU is higher than 2000 you can exploit ettercap.
Since normal ethernets have MTU:1500 this bug can not be exploited due to
unsupported defragmentation in ettercap, but may be crashed with a forged
packet (ip->tot_len > MAX_DATA).
Here are common MTU and interface types:
65535 Hyperchannel
17914 16 Mbit/sec token ring
8166 Token Bus (IEEE 802.4)
4464 4 Mbit/sec token ring (IEEE 802.5)
1500 Ethernet
1500 PPP (typical; can vary widely)
Sample explotation could be also in loopback interfaces: MTU:16436
piscis:~# ettercap -NszC -i lo &
[1] 21887
piscis:~# ./ettercap-x 0 | nc localhost 3306
ettercap-0.6.3.1 xploit by FermÃn J. Serna <fjserna@...>
Next Generation Security Technologies
http://www.ngsec.com
punt!
piscis:~# telnet localhost 36864
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)
SOLUTION
It is recommended that all ettercap users apply the update
Portage Auto:
emerge rsync
emerge update
emerge update --world
Portage by hand:
emerge rsync
emerge net-analyzer/ettercap
Manually:
Download the new ettercap package here and follow in file instructions:
http://ettercap.sourceforge.net/download/ettercap-0.6.4.tar.gz
- --------------------------------------------------------------------------
Ferry Meyndert
m0rpheus@g.o
- --------------------------------------------------------------------------
|
|
