GEN:SID | 1:1382 |
Message | EXPLOIT CHAT IRC Ettercap parse overflow attempt |
Summary | This event is generated when an attempt is made to exploit a known root exploit for Ettercap Network Sniffer (Version <= 0.6.2)
|
Impact | Remote attacker is able to gain root shell on host running ettercap.
|
Detailed Information | A buffer overflow in the parsing of IRC traffic for 'nick' passwords enables a remote attacker to execute code of their choice as root on the compromised host. This is as a result of an unchecked string copy of the captured password in the packet into the buffer used to store all retrieved passwords. The same or very similar overlows exist for other string matches within this section of code in this and previous versions of ettercap.
The exploit released by GOBBLES listens on port 0x8000 and provides a shell for the attacker. Since ettercap is generaly run as root in order to have access to a promiscuous network interface, the shell will have uid=0 (root). |
Affected Systems | |
Attack Scenarios | Ettercap is likely to be deployed in 'sensitive' parts of the network where a network administrator is analysing passing traffic. A compromise of a host in such a position will not only reveal any passwords already captured by ettercap to the attacker, but gives the attacker ample opportunity to analyse passing network traffic for further useful information. The host will quite likely be used as a base for other attacks. Ettercap may also be installed on a compromised host for the purpose of monitoring or modifying traffic on the hosts network.
|
Ease of Attack | Simple - exploit code pubished by 'GOBBLES' on vuln-dev - original posting can be seen here : http://online.securityfocus.com/archive/82/245128
|
Corrective Action | Upgrade to ettercap 0.6.3 or greater
|
Additional References | Attrition: http://www.attrition.org/security/advisory/gobbles/GOBBLES-12.txt
Security Focus archive: http://online.securityfocus.com/archive/82/245128
|
Rule References | url: www.bugtraq.org/dev/GOBBLES-12.txt
|