Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bug Security Wireless Networking Hardware

Unhealthy Sniffing 49

Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."
This discussion has been archived. No new comments can be posted.

Unhealthy Sniffing

Comments Filter:
  • by gl4ss ( 559668 ) on Wednesday March 24, 2004 @02:07PM (#8659134) Homepage Journal
    network sniffers are useful for other things as well.

    just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..

    how about the windows port?
    • by silvercloak ( 68622 ) on Wednesday March 24, 2004 @02:18PM (#8659256)
      The article makes this clear: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.
    • I agree wholeheartedly. I write systems management software, and my company often uses ethereal (on linux and windows) to check the contents of RPC calls, and other significant traffic...
      • . . . my company often uses ethereal (on linux and windows) to check the contents of RPC calls, and other significant traffic...

        Same here... althought my idea of "significant traffic" is new pr0n sites that the comptroller hasn't told be about yet..

    • network sniffers are useful for other things as well.

      I was surprised to learn that a Windows port of Ethereal was packaged and deployed to our shared apps installation environment. Surprised because we're a pretty large and conservative company, and non-computer types are quick to find the potential downsides to a tool and categorize it as evil before the good side can be seen.

      Anyways, Ethereal has been very helpful for exploring a variety of problems w/the different software we fool with. This gives us

  • Will ethereal work as a passive scanner? Like used to grab packets from a MAC filtered wi-fi network that you do not have access to?
    • Re:passive scanner (Score:4, Interesting)

      by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday March 24, 2004 @02:22PM (#8659290) Journal
      The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

      I imagine that the right way to do passive wifi scanning would require support from your driver and hardware, to ensure that you were not transmitting any packets at all.

      And no, I don't know anything about Ethereal. I'll shut up now.
      • Re:passive scanner (Score:3, Interesting)

        by Anonymous Coward
        The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

        Yea, but a common way to configure the sensors is to have one side plugged into the "trusted" internal network and the other side as an un-addressed interface in promiscuous mode. Ideally this would prevent someone on the outside from ever hopping into your internal LAN, but even if you cut the tx leads, the recent vulne

      • Re:passive scanner (Score:5, Informative)

        by DES ( 13846 ) * <des@des.no> on Wednesday March 24, 2004 @03:01PM (#8659772) Homepage
        The right way to do passive scanning is with an ethernet cable that has the tx leads removed.

        Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

        In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.

        (I write network analysis software for a living)
        • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday March 24, 2004 @03:51PM (#8660368) Journal
          (I write network analysis software for a living)

          I write VB front ends to SQL databases for a living.

          I'm going to go with you on this one.
        • IIRC I've read reports that you can "un-twist" the TX cable-pair and that will destroy the signal while still providing enough to make the switch keep the port open. Some experimentation may be required though.
        • Re:passive scanner (Score:3, Informative)

          by Rick.C ( 626083 )
          Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all.

          It's true that you can't just cut the tx wire, but you _can_ rig it so a hub can see it but no xmit will occur.

          Search google for "sniffer +stealth". There is a site with plans to build a non-transmitting cable. It also discusses the theory of how it works. (I can't verify a link because those kinds of sites are blocked here at work.) It involves cutting _on

        • Re:passive scanner (Score:3, Informative)

          by Anonymous Coward
          Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

          In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic w
      • The way I have always done passive scanning is from the router. (assuming you are on the network and not tapping into it) You have the router copy all the packets to an entirely different port so your sniffer is off the main network. Therefore it is really impossibe to affect the network.
  • Ettercap (Score:4, Interesting)

    by vasqzr ( 619165 ) <vasqzr@@@netscape...net> on Wednesday March 24, 2004 @02:20PM (#8659266)
    Sounds like a good time to check out Ettercap [sourceforge.net]

    Short Description:

    Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
    It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

    • Re:Ettercap (Score:1, Informative)

      by Anonymous Coward
      Sounds like a good time to check out Ettercap.

      And what? List it's buffer overflows? You aren't saying it exploit free, are you?

      A patched Ethereal will be out in a few days. I think you'd be better off with that.

  • by Old Uncle Bill ( 574524 ) on Wednesday March 24, 2004 @02:24PM (#8659311) Journal
    Yeah, I don't like remote root exploits any more than the next guy, but are there a lot of people who run this 24/7? For the one hour a week I run this tool, I'm not AS concerned as if it was my OS with those vulnerabilities *cough*Windows*cough*.
  • by Anonymous Coward
    There is no reason the Ethereal GUI or protocol analysis code needs to run as root. It should drop privileges as soon as it begins sniffing.
    • I use tcpdump to capture what is on the wire... which is run as root.

      Then, as a non-root user, I pull the data into ethereal.

      I do this because the network is over a thousand miles away and the machines don't even have X on them... so... I capture remotely and then look at the data on my workstation.
  • Wardriving (Score:4, Interesting)

    by DustMagnet ( 453493 ) on Wednesday March 24, 2004 @02:30PM (#8659382) Journal
    These bugs can also be used to catch war drivers. Another trick I've seen in a white paper was to transmit fake traffic from an unused IP address and watch for reverse DNS lookups.
  • by n1ywb ( 555767 ) on Wednesday March 24, 2004 @03:35PM (#8660165) Homepage Journal
    Ethereal is a valuable network diagnostic tool. It has saved my ass a couple of times, and it has been helpful many times. I was the only person in my Networks class in college that was able to do my assignments from my room, everybody else had to go to the lab to use the commercial sniffer.

    On the other hand, 13 vulnerabilities isn't too terrible and hopefully they'll get them patched up straight away. I'm sure that your average commercial packet sniffer probably is probably just as bad or worse, and those bugs aren't getting fixed.
    • It would be unfortunate if it was a closed source application and the company had no desire to fix the problems.

      That isn't the case.

      This is just another step in making the product even better than it already is...
    • It's surprising how many vulnerabilities are found in Ethereal - this report is certainly not the first. And they tend to be root vulnerabilities.

      Really, it's amazing that software like Ethereal, intended as a security tool, wasn't written with a bit more care and attention to avoid buffer overflows and similar causes of exploits. Normally one would expect something that needs to run as root and accept arbitrary data from the network interface to be written with extra caution and paranoia.
  • by Homology ( 639438 ) on Wednesday March 24, 2004 @03:41PM (#8660248)
    13 remotely triggerable vulnerabilities were discovered in the multiprotocol packet sniffer Ethereal that allow remote compromise.

    Thanks to ProPolice on OpenBSD, these stack overflows will only lead to a crash, not a root exploit on this OS.

    Gentoo has a project called "Hardened Gentoo" where the stack overflow would just chrash the Ethereal.It's time the bigger Linux distros implement similar technology (that exist as PaX).

  • Want to know about unhealthy sniffing? Hang out in the sysadmin's office at my old job for ten minutes.
  • The article says that they found the vunerabilities during a code audit with an ethereal vendor, but it doesn't mention if they let the ethereal maintainers know about the problems before they released the report. If they did I would imagine we will have a new version with these bugs squashed rather quickly. If they did not I would say that is rather lame of them.
    • by Grotus ( 137676 ) <rlmoserNO@SPAMearthlink.net> on Wednesday March 24, 2004 @05:13PM (#8661265) Homepage
      From the article:
      Disclosure Timeline


      5 March 2004 Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.
      7 March 2004 IRDA hole closed (after checking specs)
      8 March 2004 PGM hole closed (after checking specs)
      9 March 2004 NetFlow hole closed (after checking specs)
      17 March 2004 UCP holes were discovered and mailed to vendor
      19 March 2004 UCP and TCAP holes closed (after checking specs)
      22 March 2004 Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week
      23 March 2004 Public Disclosure


      So, yes, they did let them know, and the holes have already been fixed.
    • It's in TFA:

      Disclosure Timeline

      5 March 2004
      Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.

      7 March 2004
      IRDA hole closed (after checking specs)

      8 March 2004
      PGM hole closed (after checking specs)

      9 March 2004
      NetFlow hole closed (after checking specs)

      17 March 2004
      UCP holes were discovered and mailed to vendor

      19 March 2004
      UCP and TCAP holes closed (after checking specs)

      22 March 2004
      Ethereal developers have r
  • by Paladine97 ( 467512 ) on Wednesday March 24, 2004 @05:00PM (#8661146) Homepage
    You've got to hand it to the ethereal team for their quick fixes.

    The bottom of the advisory states that they were made aware on the 5th of March, and by the 23rd of March all the holes were fixed.
  • by g-san ( 93038 ) on Wednesday March 24, 2004 @05:34PM (#8661456)

    tcp.flags.evilbit == 0
  • The up side (Score:1, Funny)

    by Anonymous Coward
    You get to see lots of detailed info about the cracker's bits as they're attacking your pc :)

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...