RE: Ethernet ( MAC ) Address Reliability

From: Burton M. Strauss III (BStrauss_at_acm.org)
Date: 09/09/03

  • Next message: eip_ger_at_yahoo.de: "Half-Life client buffer overflow" 
    To: "William N. Zanatta" <william@veritel.com.br>, <vuln-dev@securityfocus.com>
Date: Mon, 8 Sep 2003 17:45:14 -0500

    Trivial to spoof in some OSes... RH8:

    $ cat /etc/sysconfig/network-scripts/ifcfg-eth0
    # Please read /usr/share/doc/initscripts-*/sysconfig.txt
    # for the documentation of these parameters.
    DEVICE="eth0"
    MACADDR="02:00:00:00:00:05"
    ...

    Ideally, values without that xxxxxx1x bit (LLA) set should be globally
    unique. In practice, there's no testing on the address you set for MACADDR
    (and there are legit reasons for assigning other values - say you want to
    spoof a NIC for your Cable Modem).

    -----Burton

    -----Original Message-----
    From: William N. Zanatta [mailto:william@veritel.com.br]
    Sent: Monday, September 08, 2003 9:17 AM
    To: vuln-dev@securityfocus.com
    Subject: Ethernet ( MAC ) Address Reliability

      Hey guys,

        I'm currently studying 'sadoor' ( see links at the foot ), a tool
    built over a proof-of-concept on monitoring interfaces instead of opening
    ports. The concept behind the tool consists ( roughly ) on monitoring the
    interface, waiting for a sequence of ip/tcp/udp key packets ( configurable
    ) and a command packet which runs a command at the host.

        The first article ( below ) introduces the tool and the hopotesis of
    using it as a remote system administration tool. Of course there are many
    security risks involved when doing it but I believe that a well planned
    system may work with a fine security level ( just focusing on this tool ).

        But there's one thing which worries me, the ethernet addresses. This
    is the point where I want to hear from you, and the question is, how much
    reliable are these addresses? I know they're spoofable and thus it may
    bring problems with this kind of software.

        Anyway I'm still making some research on this ( I'm not a network
    authority ;] ) but I would really like to hear from you.

        Thank you all,

        --

        References:

          1. A Practical Approach of Stealthy Remote Administration
          http://www.linuxsecurity.com/feature_stories/feature_story-149.html

          2. SAdoor's Home Page
          http://cmn.listprojects.darklab.org

        --

       William

    PS: Sorry for my messy english.

  • Next message: eip_ger_at_yahoo.de: "Half-Life client buffer overflow"

    Relevant Pages

    • Re: Ethernet ( MAC ) Address Reliability
      ... In practice, there's no testing on the address you set for MACADDR ... > spoof a NIC for your Cable Modem). ... >) and a command packet which runs a command at the host. ... > using it as a remote system administration tool. ...
      (Vuln-Dev)
    • Ethernet ( MAC ) Address Reliability
      ... built over a proof-of-concept on monitoring interfaces instead of opening ... and a command packet which runs a command at the host. ... using it as a remote system administration tool. ... security risks involved when doing it but I believe that a well planned ...
      (Vuln-Dev)