[NGSEC-2002-1] Ettercap, remote root compromise

From: NGSEC Research Team (labsat_private)
Date: Wed Feb 13 2002 - 15:49:28 PST

Next message: Barry McGeorge: "Re: SNMP Enabled on Dell Servers"

Previous message: Chris Ren: "Microsoft C++ feature against buffer overflows itself vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   Ettercap, remote root compromise
          ID:   NGSEC-2002-1
 Application:   ettercap 0.6.3.1 and older (http://ettercap.sourceforge.net)
        Date:   05/02/2002
      Status:   Vendor Contacted, new fixed version released.
    Platform:   Linux on interfaces with MTU > 2000
      Author:   Fermín J. Serna <fjsernaat_private>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2002-1.txt


Overview:
- ---------

As it is said in ettercap's home page "Ettercap is a multipurpose
sniffer/interceptor/logger for switched LAN". Due to improper use of the
memcpy() function, anyone can crash ettercap and execute code as root
user.

Vulnerabiliy has been confirmed and exploited in ettercap's version
0.6.3.1. Older versions maybe vulnerable too.

This vulnerability only exists on Linux version because on *BSD and MacOSX
ettercap only works on ethernets devices.

Technical description:
- ----------------------

Ettercap is composed of decoders which looks for user, passwords,
communities and stuff alike.

Several decoders (mysql, irc, ...) suffer the following problem:

   memcpy(collector, payload, data_to_ettercap->datalen);

Collector is declared as:

    u_char collector[MAX_DATA];

Where MAX_DATA is:

  #define MAX_DATA 2000

Datalen is the data (after TCP/UDP header) length read from the interface.
So on interfaces where MTU is higher than 2000 you can exploit ettercap.
Since normal ethernets have MTU:1500 this bug can not be exploited due to
unsupported defragmentation in ettercap, but may be crashed with a forged
packet (ip->tot_len > MAX_DATA).

Here are common MTU and interface types:

    65535 Hyperchannel
    17914 16 Mbit/sec token ring
    8166  Token Bus (IEEE 802.4)
    4464  4 Mbit/sec token ring (IEEE 802.5)
    1500  Ethernet
    1500  PPP (typical; can vary widely)


Exploit for this vulnerability can be found at

       http://www.ngsec.com/dowloads/exploits/ettercap-x.c

Sample explotation could be also in loopback interfaces: MTU:16436

  piscis:~# ettercap -NszC -i lo &
  [1] 21887
  piscis:~# ./ettercap-x 0 | nc localhost 3306
  ettercap-0.6.3.1 xploit by Fermín J. Serna <fjsernaat_private>
  Next Generation Security Technologies
  http://www.ngsec.com

  punt!
  piscis:~# telnet localhost 36864
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  id;
  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)


Recomendations:
- ---------------

Upgrate to a newer ettercap version.
Run ettercap on a secure environment.


More advisories at: http://www.ngsec.com/advisories/
PGP Key: http://www.ngsec.com/labs.asc

(c)Copyright 2002 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE8avuLKrwoKcQl8Y4RAuP/AJ986xxVSp4o3t5i6iVd9++KSS1VEwCgj3az
UVogHhRBDxiLcV2VLyYcbrY=
=W1yr
-----END PGP SIGNATURE-----

Next message: Barry McGeorge: "Re: SNMP Enabled on Dell Servers"
Previous message: Chris Ren: "Microsoft C++ feature against buffer overflows itself vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 10:06:19 PST