Slashdot Mirror
Flaw Found iIn Ethernet Device Drivers
Licensed2Hack writes "Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks.
Seems the device driver writers couldn't be bothered with a memset() call. Eweek has their typical (puffy, low on tech details) take on it here.
Since they don't specify the OS, I'm assuming these are drivers for Windows." It's actually Linux, *BSD, and Windows.
At least it didn't foil my first post.
the flaws are in linux drivers too. Who knows, you might even want to read the article.
...."iln" story title
From the article (in case you haven't read it):
"The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."
Straight from the article
OK, it's slashdot, so we expect people to post comments without reading the article, but it's a little ridiculous that the submitter didn't even bother.
Anonymous Coward writes "English speakers have discovered a serious flaw that may be present in many Slashdot editors that is causing the devices to broadcast poor journalism over networks. Seems the editors couldn't be bothered with a Spellcheck call. Slashdot trolls have their typical (puffy, low on tech details) take on it here. Since a fault was found, Slashdot is assuming the problem is with Windows."
One wonders whether it would be possible to build a fix into the operating system, or would that be too great an abstraction?
You can find the CERT's take on this here:
http://www.kb.cert.org/vuls/id/412115.
Lots of applications have the same fault, e.g. Microsoft Access doesn't appear to memset so you get what ever happens to be kicking around in memory written to emptyness in the database.
Also Access doesn't clean out deleted data.
thank God the internet isn't a human right.
The Cert advisory says that MS doesn't ship any drivers with this vulnerability. This is a lot different from saying that MS systems are completely uneffected. We're going to have all double check against the actual driver being used by the system (when this list is complete of course) to find out if we are particularly affected by this.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
If you click a few links away (well, actually just one) you end up on http://www.kb.cert.org/vuls/id/412115 which states that Microsoft, CISCO and others are NOT Vulnerable, which is the exact opposite as what eweek says...
FUD ?
If this bugs you, just make a change to the link layer drivers. Pad with nuls again, like it is supposed to, rather than garbage data. The downside to this is there will be a speed hit, since you are wasting time fscking with small packets to make sure they are secured. But, given the speed of modern systems vs the speed of ethernet, I highly doubt you'll notice.
Honestly, the big problem here is going to be MS. I doubt they'll introduce a fix at all.
Since the author has failed to specify the species he belongs to, I am assuming he is a lemur.
It could be enough for someone to snag the SSH private keys for a connection.
Of course, since you have to read ethernet packets, they'd either be listening to traffic on a VPN, or they'd be on their target's LAN.
More reasons to be afraid of your company's BOFH.
What's this Submit thingy do?
@stake's advisory release:0 10603-1.txt
t stake_etherleak_report.pdf
http://www.atstake.com/research/advisories/2003/a
And their etherleak report PDF:
http://www.atstake.com/research/advisories/2003/a
Oh my God, they were right all along ;)
here is a bugtraq thread from a year ago, describing a similar sounding problem...
ex$$
see: http://www.kb.cert.org/vuls/id/JPLA-5BGP7V
Mark
Just tested this with Ethereal on W2K.
The command 'ping -n 10 -l 1472 ' sends a packet that's padded with 'abcd...uvwabcd...uvwabcd'.
The echo reply is padded with the same characters, apparently just pulled from the request and stuck in the reply. So far I've tried pinging W2K, HPUX, a Cisco router, and a Debian box. All return the contents of the initial request as padding.
Is there more to replicating this than they let on? Or are they just full of poop?
or Cisco or every other router/switch vendor...
Now OpenBSD will have to change their tagline, again.
Only one remote hole in the default install, in more than 7 years! Oh yeah, and 1 hole embedded in the Ethernet dri...
"Shit. We ran out of space on the CD cover."
Talisman
Wanna get pissed?
"Study your math, kids. Key to the universe." -The Archangel Gabriel
Why is this "devastating"? People can sniff ethernet networks anyway? People don't rely solely on a switch for your network security, right?? (Who am I kidding? Of course someone does. Sigh.)
Funny, I am careful about checking my facts, and I am assuming that only 5 people will read my post. I would hope I would put a LITTLE more effort into my fact checking tho if I thought it was going to get 1,000,000 hits.
Since the poster and the editors don't check their facts, I am assuming they don't.
Slashdot is the first site I hit for tech info. And typically, while exagerrated, the attacks on MS have basis at least.
But an ASSUMPTION like above about "Well, there's a problem, it must be Windows!" just makes my ears perk up immediately and want to check the facts. Why doesn't it for the Slashdot editors?
WHY would you assume that? Just from the blurb the poster included it immediately seems the kind of oversight that would have the POTENTIAL at least to affect multiple systems.
And yes, I realize that Windows drivers written by third-parties have been targetted, I find it amazingly amusing the native Windows drivers have been determined not to have this issue
---"What did I say that sounded like 'Tell me about your day?'"---
There actual advisory from @stake that the article quotes can be found here - it's got a few more technical details and code fragments from the Linux kernel, but there's not really much else to say.
It also shows sample frame captures illustrating leakage of HTTP traffic.
Meep meep
At least it isn't a dupe...
Error:
"Interesting fallacy: Microsoft Windows is mentioned as "not vulnerable"."
It says Microsoft Corporation is not vulnerable, since they don't manufacture an ethernet card, this is not very surprising.
This is a problem with ethernet drivers not, and I repeat _not_, an Operating System problem.
At best all this says that all Microsoft written network drivers are not vulnerable. You will need to check the vendor of your network card, or the chipset manufacturer if you have a no name card, and there are reference drivers available.
The article submitters now can't be bothered to read the articles? You know, the bit in the article where it says "The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."!?
Back to more important issues, like the actual content of the article ... I'm reading linux/net right now, anyone have any definite answers, and could point me to (say) source for where we do do this?
That list is pertaining to the Hardware manufacturers, and I would assume the OS integrated drivers. Even those are usually packaged in the OS were provided from the manufacturers.
Since almost all ethernet cards are similar, you'd expect that most people would be affected. Nice to see that everyone gets equal billing, and we can all be hacked. Of course, everyone just assumes it's Windows. I know I'll get Flamed or what not for it, but even windows didn't mess up how the Ethernet standard worked. They just messed up how things access it.
So someone on your network might be able to read small bits of previous packets or just random memory addresses. Who really cares? Why is this even a problem?
Microsoft makes Ethernet cards. They currently ship their "100/10 Broadband adapter", in PCI and USB flavors, and used to ship cards years ago.
And MS hardware has always been a positive thing, like the Sidewinders and the Mice, but I'll admit I've never tried their Network Cards. But I don't use No-Names either, so it balances out.
buy the #'s?
see also: payper liesense stock markup FUDge peddlers strike IT ?rich? despite ?hard times? being ?had? buy all?
see also: shrub0nomic profomulahs still used buy stock markup frauds.
see also: bill&art's accelleNT ADventure?
see also: va.msn.net, ticker: (VAST)?
...of what Microsoft actually had to say on the topic and bet your butt that some card manufacturers based their drivers on the flawed examples. In short, as usual, many Windows systems are vulnerable and Microsoft are duckshovelling again, or should I say `as always'? Dollars to doughnuts Windows does this on other layers as well. Still, not as bad as dear old RSTS, where reading the NL: (null) device got you whatever entire disk block was last read by anyone on the system, and the password file was read often.
Got time? Spend some of it coding or testing
Great. I don't mean to sound like a troll, but @stake is really stretching for publicity here. 46 bytes? Do you realize how small the padding is? Yes, it's enough for a password, but keep in mind, that padding being sent out is transmitted from OLD FRAMES. These items have been transmitted before. Guess what kids? If you observe secure computing practices, such as using a encrypted login method (ssh comes to mind) and you mind your standard p's and q's, this problem should never be a PROBLEM. I am sorry, but as a professional that researches this stuff, I have to rate this vulnerability as a "really really low" and keep plugging on. In a perfect world, we would grab from urandom/random/null but this isn't a perfect world. Lets focus on remote root compromises, remote "system/admin" compromises, and lets also focus on getting IIS away from the industry. These are the REAL problems. Someone wake me up when @stake has a real advisory to give, something excellent that we are used to seeing from them, besides this trivial fluff they are going to over-hype.
/. but this will be the same position I give the Fortune 500 company I work for. /me wonders if my VP will mod me "troll" or "flamebait" =P
Mod me however you want, I'm a coward to
...where do you want your data to go today? Oops, sorry! (-:
Got time? Spend some of it coding or testing
RFC1042 says "When necessary, the data field should be padded (with octets of zero)to meet the IEEE 802 minimum frame size requirements."
RFC 2119 says "3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."
(8-DCS)
I am not a security expert. In fact, my knowledge comes from Slashdot. So God help me. But is this vulnerability really useful to a hacker? If I understand it, because padding is not properly implemented, the hacker MAY receive some random data at the end of the 48 byte data. I realize there are people who have the patience to tape together shredded documents so they can read them, but in this case the hacker cannot ensure that the random pieces of data that he will receive even belong to a single "document." So my question, is this a theorectical vulnerability that would be extremely difficult to use, or is it demonstratable that a hacker could easily obtain useful information?
...`fix' your machine into the deck at terminal velocity. Trustworthy Computing at its best!
Got time? Spend some of it coding or testing
I am sure someone will rush to correct me if I am wrong about this.
In Murphy We Turst
Just a guess...
Got time? Spend some of it coding or testing
What makes you think this topic was an accident? I have a hunch that the /. editors posted this as an anti-microsoft blurb on purpose. With that in mind they didn't need to read the stinking article.
If you look at recent "environmental" "news" they've put up on here they've done the same sort of thing: did not read the target article or totally disregarded it and added their own political opinion.
Hemos has an anti-Microsoft axe to grind. Not that I blame him there but I think he's a wee bit too eager.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Linux Geek - "Since they don't specify the OS, I'm assuming these are drivers for Windows."
Article - "The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."
I figured they might have dabbled a bit in the past (Hell they made a cordless phone), but I've never seen one over here in Australia. With the Xbox I thought they may have dabbled again.
The main point was that it is the drivers not the OS, I own a SideWinder 3D Pro joystick, that is still going strong, the throttle isn't as smooth as it used to be but otherwise it has been a accurate long serving piece of hardware. Their mouse are also very good. I've always wondered how they can have poor software QA when their hardware is for the most part (Some of the first batch of Optical mice were slightly dodgy, corrected in next revision) good.
Perhaps, since the site only speaks English, they meant to say `i1n'?
Got time? Spend some of it coding or testing
Cisco's Status/Statement
and
Full CERT Advisory
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
By the way, you misspelled "blatant", and the use of HTML tags obviates the need of ugly all-caps messages :)
Sorry, I usually don't feed the trolls ... it's 730am, I've been up for almost 24 hours, and I'm waiting for a drive to badblock ^^;
You know Linux will have a simple fix ready within a few days.
You think Billy Gates will get off his duff and fix this?
$80 for the new version Win YP, then maybe, if you are lucky it has the fix (and a whole new list of bugs).
MS people are such fools. One born every day!
Great, first we had users who posted replies without reading the articles.
Then we had editors who posted articles without checking if they had already been posted.
Now we have users who submit articles that are neither read by the user nor the editor before being posted.
What's next? The person who writes the article doesn't read it before a user sees the link, submits it for an editor to post twice in the same day?
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
Actually, I only know that they make these because I ran into one of their access points. Everything I've seen about their Wireless stuff seems to be positive.
Their Games and their Hardware has always been unique, innovative and stable. I just figured they were getting prepared for the Monopoly split, by putting all the good eggs in one basket.
Consider the length of time this so-called vulnerability has lurked in the device driver code for all those operating systems, than ask why no one discovered the problem sooner. Could it be that there's nothing to be worried about?
I'm guessing this problem has gone undetected so long because uber-short frames don't naturally occur on most Ethernet installations. Networks typically send real data, not empty frames, that's why we build them in the first place. You have to intentionally generate super-small frames if you want to see them. All the examples @Stake provides are based on ICMP Echo/Echo Replies, where you can specify the packet length at the command line. Show me some real network traffic that exhibits this problem, than I'll start to worry.
Still not convinced? Well, consider that you can't exploit the issue beyond even a single router, and that the vulnerability in most cases is just rehashed data, stuff that's already gone out on the wire. How big a security issue is that? Seems like the least of my problems. I'd worry more about one un-patched system on the network or one stupid marketroid opening a TELNET secession to the web server than I'd worry about this.
I'm going to go out on a limb here and declare this a non-issue. I'm sure the guys over at @Stake are happy to have something to show their bosses (and the media) so soon after the holidays, but it just doesn't look very serious from where I'm sitting.
I'm sorry, but this is uninformed spouting of the mouth.
SSH private keys never even get near the ethernet stack.
If the driver programmers are as lazy (or efficient...) as the article claims they are, these stray bytes are from other offsets in the stack, thus comprising parts of older (or perahps yet unhandled) frames, which incidentally, contains information from packets you could have sniffed wholly on that segment. Why they would randomly allocate memory right adjacent to user space data segments or the file buffer cache, i'll never know (hint: IT DOESN'T)
Also, SSH takes care to overwrite old buffers containing the private key when it finishes with it too.
What no one has mentioned yet which is the real vulnerabiltiy is that this attack can be mitigated by any device which can reach a vulnerable client with an IMCP ECHO request and get a reply. Some network configurations allow IMCP to flow freely, including to the internet, thus machines inside may be at risk when they thought they might have been safe on a private network segment (using unencrypted protocols, telnet, etc.).
Solution? Block IMCP if you don't need it. Or ensure the firewall is using a non-vulnerable driver/device and have it "rewrite" all the packets (this may be imperative, but it could depend on implementation).
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Sorry I'm being vague, but a person who is competent at socket programming will _probably_ know what I'm talking about. So I'm curious, is this the same problem we read about here that I encountered, or is it just a misunderstanding of mine into the details of socket programming? I'd love to understand.
Thanks
This is getting pretty old.
I can deal with unprofessionalism on Slashdot (dupes, unverified sources), since it's really not a professional journalistic news source and has never claimed to be. I can deal with bias against Microsoft, the U.S. government, corporations, Red Hat, Church of Scientology, etc. because no one ever said the editors were being objective. I can deal with regurgitated Register posts and the constant WSJ (free registration required!) posts.
What I can't deal with are article submissions being approved when the submitter doesn't read the article they are submitting *and* making unfounded biased FUDish comments about it. The editors not reading the article and commenting on it in the blurb is bad enough.
It's embarassing to ever point anyone else to Slashdot and it's very hard to take it even the slightest bit seriously.
The firm I was workign for at the time noticed this 6 years ago on AIX.
We informed CERT/IBM - nothing happened.
NOW it it makes all the headlines.
what impact does it have - none, unless the stuff in the PADing area contains the unencrypted data that was originally send encryped. Or am I missing something like I normally do?
>> Since they don't specify the OS, I'm assuming these are drivers for Windows.
Whenever I read "memset", I think aloud "unix".
Windows programmers talk about ZeroMemory and FillMemory, not memset. In drivers, that would be RtlZeroMemory and RtlFillMemory.
memset exists for compatibility, but it's just a wrapper around FillMemory.
Secondly, for security reasons, Windows ensures that no app will ever find remnants of another app's data in its memory space (all allocated memory is erased before is't given to the requester), which significantly reduces the risk that sensitive data would be transmitted.
Normally, if the app passes it less than 46 bytes of data, the driver would have to copy it to its own buffer space at the lowest execution level to avoid hitting addresses that aren't mapped to physical memory later (would cause a BSOD if it happened above dispatch level).
If that buffer is allocated dynamically it would be empty, if it's static it would contain some part of the previous packet - not so much risk of finding sensitive data there, since it's just repeating something that has already been on the network.
BTW, the CERT advisory contains a long list of checked systems. There are only six names where it says "Not Vulnerable", and one of those six is Microsoft, so heck yeah, please keep feeling safe because *n*x is so damn secure by defi^H^H^H^H religion.
Yes there is. It's called "administrator".
Best Slashdot Co
I think it's unfortunate. Slashdot could be a nice statement about independent journalism. Instead it's a nice statement on the laziness of our societies :)
Admittedly this is worst on the unedited front page. I've seen a few redeeming articles recenty. Don't remember what they are :)
A new low, indeed.
I guess Slashdot has gotten to the point where they're so desperate for hits that they have to rely on people bitching about slashdot, rather than even pretending to have integrity.
They've got about as much credibility as the RIAA at this point. If it weren't for the comments, they wouldn't have anything at all.
Egad! This marks a new low as I was foolish enough to think that even a /. editor could spell 'in' correctly.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
If you don't know why by now, you haven't been paying attention.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Obviously they fucked up, but I think that your assumption about what Hemos meant is out of whack.
Most "pulp tech" articles are 1. about windows and 2. assume that the only system that you, the reader, are aware of is windows.
So, if an article of this type doesn't specifiy a system (which this one, of course, did) one would assume that it is about windows.
Make sense?
God, I can't belive that I am defending Hemos with his "iln".
-Peter
Microsoft became responsible for other people's code the moment they got into the business of signing other people's code.
Good point. I hadn't thought about that at all. Although, it looks like all you need to do to get your driver signed is submit it to Microsoft's "Windows Hardware Quality Labs" for testing, and do some packaging.
Unfortunately, MS' website doesn't seem to say much about what WHQL actually does. Further investigation on that website seems to reveal that the signature only means that a driver is "compatible" with a Windows release, and that not installing unsigned drivers "may prevent problems such as ... system instability". So, in the end, signed drivers are compatible with Windows and should be more stable than the unsigned. Oh, and that this copy is unmodified from the copy WHQL got. It seems Microsoft doesn't read too much into what its signing policy means for driver quality beyond "does it install, and will it crash?" ...
I was hoping I could find some sort of agreement for the end-user on what driver signing means to them, but not so quickly, at least.
I was more refering to the pointless "M$" bashing. There are plenty of *real* reasons to find fault with Microsoft. What I'm pointing out is the constant wave of entirely baseless bashing. While the handful of *nix bigots out there might enjoy it, I find it's foolish to substitute real news with crap from the "I think M$ suks 2, can I hang around with you kool Linux people now" children.
stdout might not be writable
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
this attack can be mitigated
Mitigate is not the word you are looking for.
mitigate, v: To make less severe.
This moderation is bullshit. the parent is not a troll, it is 100% correct. dumbass moderators. or maybe it is the editor's moderation doing this..
I've found another similar vulnerability in Windows IP stack. I'm sure that I am not the first to discover this but, it has existed for a long time and has never been fixed. I have verified the vulnerability on all Windows platforms except XP, which I simply haven't bothered to look at.
The "vulnerability" is very similar in behavior to the one described in the article but, is at the IP level rather than the link layer. The vulnerability has to do with padding of IP packets on Windows systems. Windows uses the contents of one of its buffers (sorry I can't say which one) to pad IP packets.
This is very easily reproducable when sniffing ping packets. The data portion of the packets are padded with the contents of the buffer. There are other utilities that demonstrate this behavior as well, but it is most easily reproduced with a simple ping and the bigger the ping packet the more data you'll see.
If you have been using IE and then sniff ping packets, you will see the data from your previous browsing. If you just logged in, you can sometimes find your password padding the ping packets.
As I said I have verified this on all WIndows platforms except XP. I have also looked for it on numerous Linux platforms and have NOT found Linux to suffer the same vulnerability. That is, Linux does NOT appear vulnerable.
Wow, according to this Windows is NOT vulnerable
According to another post here Linux IS vulnerable
Reading the fluff piece isn't good enough. Go to the source and get the real deal.
If you read the actual CERT Vulnerability note and seen that Windows is not vulnerable.
If you read the CERT Vulnerability note and seen that Windows is not vulnerable.">actual vulnerability note itself you'd see that Windows isn't even vulnerable. So it's linux that has to patch a hole Windows doesn't have.
Well Mr. Coward, you didn't bother to find out that Linux is vulnerable but Windows is not. MS has already issued a statement about this but I see nothing from Linux yet. Looks like the shoe is on the other foot now - haha.
I think the point is that the Slashdot editors just like the sound of "I bet Windows is prone to this vulnerability" way too much, and they'll post the story immediately, just to bash Windows.
OTOH, they may take this story off the frontpage now because Windows in itself is not vulnerable, but Linux is...
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
Device Driver Original Description. c A Linux Ethernet device driver for VIA Rhine family chips
3c501.c A 3Com 3c501 Ethernet driver for Linux
3c507.c An EtherLink16 device driver for Linux
3c523.c net-3-driver for the 3c523 Etherlink/MC card (i82586 Ethernet chip)
3c527.c 3com Etherlink/MC32 driver for Linux 2.4
7990.c LANCE Ethernet IC generic routines (AMD 7990 LANCE, local area network controller for Ethernet)
8139too.c RealTek RTL-8139 Fast Ethernet driver for Linux (based on rtl8139.c device driver which is also vulnerable) RTL 8129, 8139 chipsets
82596.c A generic 82596 Ethernet driver for Linux
8390.c A general NS8390 Ethernet driver core for Linux
a2065.c Amiga Linux/68k A2065 Ethernet Driver
aironet4500_core.c Aironet 4500/4800 driver core
am79c961a.c driver for the am79c961A Lance chip used in the Intel (formally Digital Equipment Corp) EBSA110 platform.
ariadne.c Amiga Linux/m68k Ariadne Ethernet Driver
arlan.c This module provides support for the Arlan 655 card made by Aironet
at1700.c A network device driver for the Allied Telesis AT1700
atari_bionet.c BioNet-100 device driver for linux68k
atarilance.c Ethernet driver for VME Lance cards on the Atari
atari_pamsnet.c PAMsNet device driver for linux68k
atp.c Attached (pocket) Ethernet adapter driver for Linux (Realtek
RTL8002 and RTL8012 chips)
bagetlance.c Ethernet driver for VME Lance cards on Baget/MIPS
declance.c Lance ethernet driver for the MIPS processor based DECstation family
depca.c A DIGITAL DEPCA & EtherWORKS ethernet driver for Linux
eepro.c Intel EtherExpress Pro/10 device driver for Linux
eexpress.c Intel EtherExpress 16 device driver for Linux
epic100.c A SMC 83c170 EPIC/100 Fast Ethernet driver for Linux (This driver is for the SMC83c170/175 "EPIC" series, as used on the SMC
EtherPower II 9432 PCI adapter, and several CardBus cards)
eth16i.c An ICL EtherTeam 16i and 32 EISA Ethernet driver for Linux
fmv18x.c A network device driver for the Fujitsu FMV-181/182/183/184
gmac.c Network device driver for the GMAC Ethernet controller on Apple G4 Powermacs
isa-skeleton.c A network driver outline for Linux
lance.c An AMD LANCE/PCnet Ethernet driver for Linux
lasi_82596.c Driver for the Intel 82596 Ethernet controller, as munged into HPPA boxen
lp486e.c Panther 82596 Ethernet driver for Linux
ni5010.c A network driver for the MiCom-Interlan NI5010 ethercard
ni52.c net-3-driver for the NI5210 card (i82586 Ethernet chip)
ni65.c ni6510 (am7990 'lance' chip) driver for Linux-net-3
pci-skeleton.c This driver is for boards based on the RTL8129 and RTL8139 PCI Ethernet chips
saa9730.c SAA9730 Ethernet driver
seeq8005.c A network device driver for the SEEQ 8005 chipset
sgiseeq.c Seeq8003 Ethernet driver for SGI machines
sk_g16.c
smc9194.c A driver for SMC's 9000 series of Ethernet cards
sonic.c
sun3lance.c
tc35815.c
via-rhine
wavelan.c WaveLAN ISA driver
znet.c An Zenith Z-Note Ethernet driver for Linux
Wavelan_cs.c Supports version 2.00 of WaveLAN/PCMCIA cards (2.4GHz)
xirc2ps_cs.c Xircom CreditCard Ethernet Adapter IIps driver
Xircom Realport 10/100 (RE-100) driver.
This driver supports various Xircom CreditCard Ethernet adapters including the CE2, CE IIps, RE-10, CEM28, CEM33, CE33, CEM56, CE3-100, CE3B, RE-100, REM10BT, and REM56G-100.
OK, here is the mini howto:
;)
...
At console nr. 1 run:
tcpdump -x src 10.0.0.1 and icmp
(dump all icmp packets from 10.0.0.1 with hex output (option -x))
at console nr. 2 run:
ping -s 1 10.0.0.1
(send ICMP echo request to 10.0.0.1 with requested reply size of 1)
Note: replace 10.10.0.1 with the IP address of your favourite host
Usualy you are going to get one ICMP echo reply for each ICMP echo request. Each ethernet packet is going to be 46 bytes long (minimum ethernet packet length). Forth byte of each packet is the length of the ICMP message inside the packet (this is usualy 0x1D (29) for 1 byte ISMP echo reply). So, the partition of the packet content after 29th byte is padding data. If this data is not all zeroed out there is a good chance that sending host (or one of the routing/bridging equipment betwen you an the sending host) has unimplemented minimum ethernet block size padding.
Enjoy!
P.B. (Post Blogum) I just checked several MS NT 4.0 and MS WP 2000 machines and they send unpaded ethernet packets too! So, to CERT: nuff said
we-go-we-fly
The reason is it's the most obvious way to get the Slashdot editors would post it, even if its 180 degrees from the truth. You don't expect them to actually read the articles people submit do you? Has anyone ever sucessfully submitted a story with a goatse.cx link?
Random is the New Order.
That's the only explanation that makes sense. He's trying to discredit MS-bashers by providing such an excellent example of false and childish anti-MS claims. The original @Stake paper (don't blame me for the format) not only lists vulnerable Linux drivers, it seems to list only Linux drivers. Windows is mentioned exactly once, and only in a vague afterthought kind of way; the focus is on the vulnerability as it exists on Your Favorite OS.
Slashdot - News for Herds. Stuff that Splatters.
Don't forget that after the vendors fixed it, the new drivers have to be re-certified and signed by Microsoft or their Great OSes[tm] will bark on everyone installing them - which wouldn't shine a bright light on the vendor.
Last thing I remember was that having a new driver certified by Microsoft takes several weeks to months.
An interesting question aside: If so many drivers (if you believe in the article's wording) are affected, why did they pass the Microsoft quality/security "certification" in the first place?
Seems to me that their certification tests aren't worth the bits they're written on - probably they just check that the drivers don't crash the system and so on. (well, and sometimes, not even this.)
42. Easy. What is 32 + 8 + 2?
Flaw Found iIn Ethernet Device Drivers
Your headline makes no sense.
This is another example of a so called "security team" finding a minor problem and trumping it up to sound like Armageddon is upon us in an attempt to boost their own visibility and credibility.
Executive Summary of Bug:
Many ethernet drivers on many OSs exhibit this problem. It is possible to send a packet to the target machine which triggers the target machine to send back a very short reply packet. Inside this very short reply packet, there maybe be as many as 30 or so bytes of data that should have been zeros. This data is from some other packet recently sent out by the target machine. This data is:
(1) unlikely to be the data you were looking for (2) extremely short
(3) probably was encrypted before being transmitted the first time if it was truly sensitive information
In the real world, there will probably be many better avenues of attacking a machine than attempting to leverage this exploit. Leveraging this exploit will require a lot of patience and good luck, as well as poor security practices on the target's side to begin with. You have many better things to worry about, move along please.
11*43+456^2
The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected. Why badmouth Microsoft/Windows, when it's clearly a manufacturer/driver-writers issue. Always blaming Microsoft, just lends zero creditability to the worthyness of your point of view. grow up..
Their shipping product didn't contain the hole, but apparently the sample implementation code they sent out to developers did.
Did you install your network card using the CD that came with it? Guess what--you have no way of knowing if you're vulnerable until Microsoft or the card vendor puts out a list and your card is on it. Silence is not safety.
Oh, my eyes, my eyes!!!!!!
Date Notified 06/25/2002
Date Modified 01/09/2003 10:55:58 AM
Status Summary: Not Vulnerable
Vendor Statement
Microsoft does not ship any drivers that contain the vulnerability. However, we have found samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation, and will include tests for this issue in our certification process.
If she floats, she's a witch.
Well, it's been discussed on /. that news sites sometimes edit their stories without notice. So, it's possible that the article didn't include the bit about which systems are vulnerable when the poster submitted the story.
I'm not saying that this what happened in this case. On the other hand, the article is three days old.
Still, I agree with you about the assumption regarding Windows.
they could allow us to comment on a subject before it gets posted!
Worst. Sig. Ever.
This is beyond the limits of my networking expertise, but does this mean it's possible for sensitive client or medical information to be passed in the padding?
If so, it seems that this would be a problem with HIPAA.
Granted, the extra bits of a 46 byte packet isn't much space, but then a social security number is only 9-characters.
That's the way I read it too.
OTOH, the point about articles being updated without noice posted was also apropos. It's *not* clear that they fucked up. They may have, or the article may have been edited.
I think we've pushed this "anyone can grow up to be president" thing too far.
Please furnish one single, solitary example of _completely baseless_ bashing of MS that you have seen here. From what I have seen, they deserve every lick they take, and then some.
"But an ASSUMPTION like above about "Well, there's a problem, it must be Windows!" just makes my ears perk up immediately and want to check the facts. Why doesn't it for the Slashdot editors?"
Because not only do the editors dislike MS, but also because MS richly deserves to never be given the benefit of the doubt, on anything, ever again.
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Windows CAN be vulnerable. Found several locally. Hardware companies using too much Microsoft example code, I imagine.
Simple to exploit.
Mac OS X/Linux:ping -c 1 -s 0 10.10.10.10
Solaris: ping 10.10.10.10 0 1
Windows: ping -n 1 -l 0 10.10.10.10
(where 10.10.10.10 is, of course, target host). Solaris doesn't seem to even want to *send* the echo request with 0 payload. Then again, I didn't investigate that too hard. IOS will definately not let you specify datagram size small enough to exploit (for that matter, it pads the echo request properly, unlike my test Win2k box with Xircom card.
Collect in favorite packet sniffer and observe. In Ethereal, it's added as Trailer under the Ethernet frame. Don't expect it to make sense.
Routers may or may not impede it. Checking about half a dozen local private class C's, I found 20 machines returning frame data. One linux, a few Windows, and a few VoIP devices. Those were crossing a Cisco L3 switch. It sorta routes, it sorta switches. However, as expected, crossing a 7204 easily screws the pooch.
So, for someone on the outside to make use of this, they'll have to break into a machine elsewhere on your network and setup some automatic exploit. To allow that to happen, you've got big troubles already besides already transmitted frame data.
And anyway, 18 bytes of previously transmitted frame data are not much to worry about. If you're not already deploying the basic security that would foil this.. just get out of the game.
Dump the IRS - http://www.fairtax.org
Thanks for letting us know what an utter imbecilic fucktard you are. Hang out with me? Sure, you hang down at the end of the gun range...
Are you on the side of Seth Finklstein? He's a dick. Michael is much more principled than that guy. If not... OK. Move along. Keep your gripes about Michael to yourself pig.
a great many articles/stories done assume windows, and seldom mention any other OS unless it is expicitly stated.
so for most media Computers == Windows.
The Kruger Dunning explains most post on
When I first saw this, I thought to myself, "Surely Steve Gibson's name is on the report somewhere" because this is the sort of lunacy one usually finds his name on.
...and while it's good that the memory leakage is of contiguous bytes (otherwise they'd be entirely useless) seventeen bytes is a _really_ small window for any meaningful data to come through. If you were lucky, you might be able to get part of a (presumeably encrypted) password, or two and a half words from a typical email. It's also possible that fancy arp-foolery would get you *all* the victim's network traffic, making it the long and obnoxious way to go about doing something as simple as sniffing packets.
...What Eweek published about it was downright silly.
Much to my suprise, @Stake's name was on it. Looking further, I see that Eweek has genuinely made a mountain out of a molehill. Seventeen bytes of randomly chosen data can be snatched from a remote machine, provided it's literally in the same building as the attacker, and provided it's got a cheap-o network card. Pardon me while I quake in fear for the safety of the little children.
Why do we have to be in the same building? Because if the packet in question goes through most routers, they're quite likely to crumple the bits up and throw them away because of it's past use as a means for covert communication.
Their statement about it being "trivial to exploit" should have stopped at just saying it was "trivial". It was good of @Stake to bring this to the attention of programmers, although quite possibly publishing in PDF format made it look a little more important than it really is.
Once there are patches available, if you do not apply them, you will be in violation of HIPAA. However, you aren't in trouble if your OS does not yet have a fix available.
HIPAA is pretty forgiving of this sort of predictable technical mishap - one cannot buy anything if products are required to be free of undiscovered flaws! But you are required to follow industry-recognized security practices, and applying all patches for known bugs is definitely covered by that requirement.
Where HIPAA comes down on you like a giant ball-peen hammer is when you knowingly profit from disclosing patient medical records. You'll need a striped suit and some soap-on-a-rope if you get caught doing that. Anything else is not really such a big deal under HIPAA, but of course you set yourself up for civil suit problems if you violate your own security and/or privacy policies (regardless of HIPAA rules).
I wondered the same thing. The only vendor listed as vulnerable was Network Appliance.
The cost in time needed to pad the frame out to 46 bytes is about the same as the time needed to copy the data over from some buffer when the frame actually is 46 bytes. Now if the driver is so high performance that it never copies anything, and is transmitting into hardware straight from the originally queued packet buffer, then yeah, padding to 46 bytes at this point does cost a wee bit. But how often are you sending so many packets less than this size and needing the performance in the CPU? It's not an issue at all with larger packets.
now we need to go OSS in diesel cars
I'm really getting annoyed with these. Editors do something stupid and people comment on it and suddenly, poff, the error is no more.
Out of the box, the VMS account SYSTEM has CMKRNL and SETPRIV privileges, which allow a knowledgeable user logged in as SYSTEM to do all the stuff root can do under unix. However, you can delete that account entirely, or remove these privileges, and VMS still works fine. I have used a VMS box where there were no user accounts with SETPRIV (admittedly an incredibly paranoid site) and the system worked fine.
Ted T'so's work with Linux capabilities is bringing VMS-style security to linux. This is one of the main reasons that linux is NOT unix, it's BETTER than unix. If you don't understand this, research T'so's work, and look into the way Red Hat has stripped all privs from their ntp daemon - except the ability to set the hardware clock, something normally restricted to root.
There is absolutely NOTHING wrong with this being easy to do! Would you prefer to have to do ten complicated steps to accomplish the same task??? It still will not prevent it from being done and will only take more time.
The fault lies in how easy it is to convince most people to assign admin privileges to someone else.
I will, however, agree that administative privileges are handed out many times when not necessary.
---"What did I say that sounded like 'Tell me about your day?'"---
Hmm... Too bad the facts are in your way. Of course, I understand that FUDers don't bother looking at facts.
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
> Since they don't specify the OS, I'm assuming
> these are drivers for Windows."
And I'm assuming Licensed2Hack is 8 years old. I guess our assumptions are worth each other.
Comment removed based on user account deletion
From CERT Advisory:
[...]
MandrakeSoft Unknown 3-Jan-2003
Microsoft Corporation Not Vulnerable 3-Jan-2003
MontaVista Software Unknown 3-Jan-2003
NEC Corporation Not Vulnerable 3-Jan-2003
NetBSD Unknown 3-Jan-2003
NetScreen Unknown 3-Jan-2003
Network Appliance Vulnerable 8-Jan-2003
Nokia Unknown 3-Jan-2003
Nortel Networks Unknown 3-Jan-2003
OpenBSD Unknown 3-Jan-2003
Openwall GNU/*/Linux Unknown 3-Jan-2003
Red Hat Inc. Unknown 3-Jan-2003
[...]
Someone mod the parent down.
He's a troll or a flamebaiter who really doesn't have a clue what he's talking about. (This is from a person who's been coding C++, C and MFC for many years.)
I can't believe nobody (or at least, nobody modded up) has actually read the actual report available in PDF form.
Lots of posts talk about "45 bytes" of information. However, only the extra bytes required to pad up potentially contain leaked data. The examples shown in the report have either 17 or 18 bytes of leaked data.
Just how useful are bytes 27-45 from the start of some previous allocation? Not very.
Thanks to some vagueness in the standards defining IP datagram transmission on Ethernet networks, it's not entirely clear exactly how the padding should be done. Some implementations do it on the NIC, while others handle it in the software device driver
Ding! This means that all NICs that have the problem have that problem under any OS unless the card can be overcome by software. Additionally, "software drivers" under any OS can have the same problem.
Is the problem more likely under, M$ junk? Of course it is. The free software world will move to fix any driver problems, and there are only a few dozen drivers in the world to work the thousands of different brand name cards. The closed source world has thousands of drivers to fix by companies that may not even exist anymore, and because it's closed and the user won't know any better, why would anyone bother?
Of course this completely ignores whole models that are available in the free software world to prevent such problems of untrusted networks in the first place. I don't really care if my NIC pads packets with chunks of the last SSH packet. Encryped noise is just that and you can have as many packets as you like of it. If you played it over a speaker it would sound like this "Shushshhshhhshhhhhshhhhsh!" and I sugest you do shush.
Friends don't help friends install M$ junk.
If I remember correctly, the same problem was found with regard to the padding of arp packets about a year ago in linux drivers.
The Microsoft statement says that Windows doesn't ship with the bug and no 3rd party driver shipped with Windows have the bug but if you build your own driver from their sample code in the Device Driver kit without changes then it is possible that your code could have the bug. And that they're changing the sample code to include the fix in the source. Maybe drawing a conclusion based on what's written would be better than just "MS are weasels"
Heh! What this means is the same thing as always. Your network security is only as good as your weakest link. If you have an M$ box on your local net and someone owns it, as is so easy to do, it can sniff packets from other silly OS that don't use SSH or similar for ALL local comunications. Let's say I type a password on a local computer and that password gets padded into that ethernet frame. Ha, the M$ machine has got you. A more sinister device to leak, would be your "broadband router" box that sits next to your cable modem. If it leaks and you have an owned M$ box on your network, that M$ box can be used to request small packets through the router and thus sniff your whole network's traffic. Failure and comprimise are generally the result of a combination of minor flaws, unless you are M$ and you just make an email client that automatically executes code, sound and what not from unknown third parties. The weak link breaks a chain.
Friends don't help friends install M$ junk.
Obvious but necessary: If articles could be modded (a la kuro5hin), this would have been a -1 Troll....
/. Where the truth
Like other posters have stated, Windows is vulnerable with the NIC drivers being the problem. Microsoft claims it doesn't ship bad drivers but my Xircom CardBus Ethernet II is vunerable (Win2k). I believe I got the driver on Windows Update :).
@stake issued this alert to CERT in late 2001. The delay was caused by CERT's insistence that they take the time to contact all of the OS/driver vendors before releasing.
That's one of the problems with "responsible reporting"; the timelines get all screwed up for those who follow the rules.
First off, the linked eWeek article specifically states:
Not to defend eWeek's journalistic or technical integrity, but they do a pretty good job of summing up the pertinent facts... such as the vulerability affecting the above implementations.
Secondly, This is a Hyperlink. They are sometimes used on the World Wide Web, to link relevant and useful resources together. Had you followed this particular link, you would have found the CERT advisory about the problem AND a link the @Stake's own advisory and white paper about the problem.
Thank you
WHY would you assume that? Just from the blurb the poster included it immediately seems the kind of oversight that would have the POTENTIAL at least to affect multiple systems.
It's called dogmatism.
There's a significant number of Open Source advocates, including nearly all Slashdot editors, who take it as an article of religious faith that Linux has no bugs, Windows has three bugs per line of code, and other operating systems simply do not exist.
Thus, when they see "flaw found in...", they automatically assume it must be in Windows, and if it ever occured in Linux, it must have been fixed a long long time ago.
A Government Is a Body of People, Usually Notably Ungoverned
how about a real world example then. I was developing some cgi apps, and I had a bug that caused an app to segfault as soon as it started (stupid mistake on my part). But I looked at it in ethereal and started seeing strange things (#kernelnewbies):
:) (laforge associated with gnumonks, the org)
. libpcap
Dec 17 13:11:43 Russ|werk: ummm
Dec 17 13:11:53 Russ|werk: I think the irc dcc nat module is leaking information
Dec 17 13:12:08 Russ|werk: I keep seeing irc nicks in unrelated tcp packets
Dec 17 13:12:16 mcp: uh
Dec 17 13:12:17 sarnold: Russ|werk: oy vey
Dec 17 13:12:24 Russ|werk: my webserver is not responing to a cgi request for some reason
Dec 17 13:12:37 Russ|werk: and instead, it returns 5 bytes of randomish payload
Dec 17 13:12:37 sarnold: Russ|werk: what version?
Dec 17 13:12:55 Russ|werk: 2.4.18-rmk4
Dec 17 13:13:08 sarnold: Russ|werk: humm, that might be a known issue then
Dec 17 13:13:35 Russ|werk: I don't remember reading about such a security flaw
Dec 17 13:14:06 Russ|werk: its not always an IRC nick, sometimes, its 04 05 b4 6d 69 (hex)
Dec 17 13:14:43 Russ|werk: which I think might be something in the webserver
Dec 17 13:14:58 Russ|werk: since the host name starts with 6e 65 74 6d 69
Dec 17 13:15:10 Russ|werk: but the webserver should not have access to irc nicks
Dec 17 13:16:30 sarnold: Russ|werk: oooh, the irc conntrack module bug i'm thinking of opened too many ports; no mention of leaking info
Dec 17 13:16:37 -- brodo has quit (Quit: reboot)
Dec 17 13:16:39 Russ|werk: the last vulerability in irc dcc nat was 2.4.18-pre8
Dec 17 13:17:44 sarnold: indeed; but the last bug in conntrack appears to be fixed no earlier than 2.4.19-pre6
Dec 17 13:17:56 -- luca_ has quit (Quit: Cambio server...)
Dec 17 13:20:26 sarnold: Russ|werk: please let harald welte know about this
Seeing this release, I now know what the issue is (the network driver in question is 8139too)
here is a ethereal capture:
http://russ.dhs.org:8000/ircdccnat_leak
As of the time of this post, your comment has 9 replies. So that makes at least 10 people (including me) who read it. Heh.
It is also not clear that all drivers will just re-allocate existing send or recieve buffers but may possibly allocate other unused portions of kernel space. This might include providing information about a previously used IPsec or WiFi session key. Unlike Public-Private keys used during initial handshaking which tend to be 1024 bits in length, session keys tend to be around 128 bits (16 bytes) in length and could be fully revealed in a 46 byte buffer and then used to decode any capture of the previous session.
This really is a nasty exploit. Also, the examples given might lead someone into a false sense of security just by blocking ICMP, the reality is that UDP/IP headers can be as small as 28 bytes leaving room for UDP traffic to also produce this link layer bug.
...you have tons of better ways to do this. Put a key sniffer on his keyboard, or listen to the EM-field of his screen or bug his place. Or simply get a life.
Kjella
Live today, because you never know what tomorrow brings
How much sensitive information could be in less that 46 bytes? Granted, it's a bad programming practice, but seriously, what are the odds that something important like the formula to Willie Wonkas Ever-lasting Gobstopper would be in those padded bytes?
Based on the typical internet usage, I'm guessing they'd get up to 45 bytes of flesh-tone JPEG data, or the words "you to can have up 3 or 4 inches added to yo".
-- You can't idiot-proof anything, because they're always coming out with better idiots.
WHY would you assume that?
Because it mentioned HARDWARE DRIVERS, which everyone knows don't exist for Linux.
Ecce Europa - Web Design for Business
The post of the link itself. The assumption was made that only MS was vulnerable when MS was not vulnerable at all according to CERT. That's pretty baseless.
A lot of equipment in a network uses 9 consecutive 0's as an alarm signal. Hence the telcom standard of using 6 0's then 6 1's as the "pad" (oh and yes you do have to check for 9 legit 0's in a row and make "adjustments") I can see it now every time my nic sends a short packet alarms are going off all over the telco route.. *grin*... the other point is. Just because it does it... doesn't mean it's signifigant. In other words is enough real data leaked and is it leaked in a consecutive manor. Can I reconstruct useful info from this data or is this an over reaction of coulda woulda shoulda maybe might. In other words if I send 10000 packets of data with 1% short that means 10 short packets. Now if this is taken from random data streams on the box in a real time manor then it won't be
:)
A. Consecutive data
B. Enough to construct meaningful information.
I don't really think you have to worry about your credit card numbers being transmitted in the clear here. Now if you have a system that is constantly transmitting (a number of systems do, do this ) then you do have a serious leak. In two seconds of continuous transmission a lot of data can get out if it's 100% padding. Maybe we can finally get the source code to M$ this way by monitoring what comes out of Redmond
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
here you go. First of all, the article wasn't even true. Second of all, even if it was true, there is nothing to backup a "Microsoft is bad" claim from it - but that's what everyone did.
Microsoft does not ship any drivers that contain the vulnerability. However, we have found samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation, and will include tests for this issue in our certification process.
My reading: Microsoft doesn't make any vulnerable drivers (Microsoft doesn't make (m)any Ethernet drivers). Their sample code is vulnerable, and in the future they will be testing drivers for this bug before certifying them. -- Current MS certified drivers May be vulnerable -- especially if they used MS's suggested code snippet.
In short, YMMV.
OS Software is like love: The best way to make it grow is to give it away.
Liar lair pants on fire!
Should I click on that pop-up now?
This is simply not true. See this article for details.
So an attacker could get chunks of (theoretically) up to 45 bytes from one of several sensitive sources. That sounds pretty bad, right? But wait - how does the attacker know what source the data came from? Even investigating source code to determine which of the sensitive sources it is, the data will either (a) be the same every time, in which case the exposure is very small, or (b) only tell you the general method for allocating the space which contains the sensitive data and therefore the kinds of things it *could* contain. The big BUT here is how does an attacker know what to do with the data? Sure, it *COULD* be your SSH private key, but how would anyone distinguish that from either the other thousands or millions of bytes he'll have to sift through or the other thousands of potentially sensitive pieces of data it could be? You can't really tell the difference between a public key, a private key, the value of the static variable foo, the address of the stack pointer last week Tuesday at 12:16:22.655am and data from an image of what the user ate for breakfast this morning. Therefore this bug is just that - an annoying bug. As a vulnerability it's right up there with the Michaelangelo virus in terms of threat severity; ie, it's not one.
Unless you've personally tested your driver, I'd play it safe and go with the statement of the publishers: Linux, NetBSD, and Windows are vulnerable.
You also seem to wish that Linux would relase a statement. Linux cannot release a statement. Linus can. Red Hat can. Mandrake can. Linux cannot. Windows cannot. Cobol cannot. VB Script cannot.
Looks like the shoe is on at least three feet now, but some of the feet appear to be in denial. Oh, and "haha" doesn't help your post look informed or intelligent.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
(Patch mangled due to lameness filter - sorry)
This message sent via this patch. I feel much better knowing the three feet of ethernet cable from my PC to my DSL modem is safe.
More seriously, many DSL systems use transparent ethernet encapsulation, so those padding bytes could be going outside your building, and the buffers they originally came from may have been received on another, internal, network i/f.
S.
The real trolls in this discussion being the "it must be windows" submitter and the "this is going to make sparks" editor that accepted it, of course.
...you might as well skip the Xmas celebration completely, and instead
sit in front of your linux computer playing with the all-new-and-improved
linux kernel version.
-- Linus Torvalds
- this post brought to you by the Automated Last Post Generator...