March 26th, 2004 01:55 AM
Flaws in Ethereal
Did not see this posted elswhere, described as critical.
March 28th, 2004 03:50 AM
well if anybody didn't they better find out now:
Ethereal 0.10.0-0.10.2 IGAP Overflow Remote Root Exploit
* THE EYE ON SECURITY RESEARCH GROUP - INDIA
* Ethereal IGAP Dissector Message Overflow Remote Root exploit
* Copyright 2004 - EOS-India Group
* Authors note:
* Shellcode splitting technique:
* Due to difficulty involved while following normal exploitation techniques due to shortage of memory space
* for our shellcode, we used the technique of shellcode splitting. In this technique one part of the shellcode
* is kept before the buffer which overwrites the saved EIP on stack followed by a jmp OFFSET instruction which
* jumps EIP to the second half of the shellcode which is kept after return address. Also since our shellcode
* requires EBP to contain a usuable stack address, we overwrite saved EBP also.
* This code is for educational purpose and testing only. The Eye on Security Research Group - India, cannot
* be held responsible for any damage caused due to misuse of this code.
* This code is a proof of concept exploit for a serious vulnerability that exists in Ethereal 0.10.0 to
* Ethereal 0.10.2.
x86 linux portbind a shell in port 31337
based on shellcode from www.shellcode.com.ar
with a few modifications by us
this was released today on "that french" security site
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 28th, 2004 11:48 AM
Note to everybody who doesn't realise this:
Vulnerabilities in Ethereal are not as serious as they may sound. There are many mitigating factors:
1. An attacker needs to know that you are running Ethereal in the first place
2. Most people only run Ethereal occasionally (i.e. while diagnosing network problems)
3. An attacker also needs to know where you're running ethereal and be able to route packets of the specified type to the host.
4. Unless it's a really common type of protocol, it will probably be blocked by the firewall
5. If the user has used capture filters in Ethereal which filter out the attacker's packets, they won't be vulnerable anyway.
March 28th, 2004 12:19 PM
I dont really know much about this kinda thing but wouldnt it be kinda hard to get the dodgy packets to ethereal if a firewall between the network and internet was properly configured?