Slashdot Mirror
Flaw Found iIn Ethernet Device Drivers
Licensed2Hack writes "Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks.
Seems the device driver writers couldn't be bothered with a memset() call. Eweek has their typical (puffy, low on tech details) take on it here.
Since they don't specify the OS, I'm assuming these are drivers for Windows." It's actually Linux, *BSD, and Windows.
the flaws are in linux drivers too. Who knows, you might even want to read the article.
...."iln" story title
From the article (in case you haven't read it):
"The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."
Straight from the article
OK, it's slashdot, so we expect people to post comments without reading the article, but it's a little ridiculous that the submitter didn't even bother.
Anonymous Coward writes "English speakers have discovered a serious flaw that may be present in many Slashdot editors that is causing the devices to broadcast poor journalism over networks. Seems the editors couldn't be bothered with a Spellcheck call. Slashdot trolls have their typical (puffy, low on tech details) take on it here. Since a fault was found, Slashdot is assuming the problem is with Windows."
One wonders whether it would be possible to build a fix into the operating system, or would that be too great an abstraction?
You can find the CERT's take on this here:
http://www.kb.cert.org/vuls/id/412115.
Lots of applications have the same fault, e.g. Microsoft Access doesn't appear to memset so you get what ever happens to be kicking around in memory written to emptyness in the database.
Also Access doesn't clean out deleted data.
thank God the internet isn't a human right.
The Cert advisory says that MS doesn't ship any drivers with this vulnerability. This is a lot different from saying that MS systems are completely uneffected. We're going to have all double check against the actual driver being used by the system (when this list is complete of course) to find out if we are particularly affected by this.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
If this bugs you, just make a change to the link layer drivers. Pad with nuls again, like it is supposed to, rather than garbage data. The downside to this is there will be a speed hit, since you are wasting time fscking with small packets to make sure they are secured. But, given the speed of modern systems vs the speed of ethernet, I highly doubt you'll notice.
Honestly, the big problem here is going to be MS. I doubt they'll introduce a fix at all.
It could be enough for someone to snag the SSH private keys for a connection.
Of course, since you have to read ethernet packets, they'd either be listening to traffic on a VPN, or they'd be on their target's LAN.
More reasons to be afraid of your company's BOFH.
What's this Submit thingy do?
@stake's advisory release:0 10603-1.txt
t stake_etherleak_report.pdf
http://www.atstake.com/research/advisories/2003/a
And their etherleak report PDF:
http://www.atstake.com/research/advisories/2003/a
Oh my God, they were right all along ;)
here is a bugtraq thread from a year ago, describing a similar sounding problem...
ex$$
Just tested this with Ethereal on W2K.
The command 'ping -n 10 -l 1472 ' sends a packet that's padded with 'abcd...uvwabcd...uvwabcd'.
The echo reply is padded with the same characters, apparently just pulled from the request and stuck in the reply. So far I've tried pinging W2K, HPUX, a Cisco router, and a Debian box. All return the contents of the initial request as padding.
Is there more to replicating this than they let on? Or are they just full of poop?
Now OpenBSD will have to change their tagline, again.
Only one remote hole in the default install, in more than 7 years! Oh yeah, and 1 hole embedded in the Ethernet dri...
"Shit. We ran out of space on the CD cover."
Talisman
Wanna get pissed?
"Study your math, kids. Key to the universe." -The Archangel Gabriel
Why is this "devastating"? People can sniff ethernet networks anyway? People don't rely solely on a switch for your network security, right?? (Who am I kidding? Of course someone does. Sigh.)
Funny, I am careful about checking my facts, and I am assuming that only 5 people will read my post. I would hope I would put a LITTLE more effort into my fact checking tho if I thought it was going to get 1,000,000 hits.
Since the poster and the editors don't check their facts, I am assuming they don't.
Slashdot is the first site I hit for tech info. And typically, while exagerrated, the attacks on MS have basis at least.
But an ASSUMPTION like above about "Well, there's a problem, it must be Windows!" just makes my ears perk up immediately and want to check the facts. Why doesn't it for the Slashdot editors?
WHY would you assume that? Just from the blurb the poster included it immediately seems the kind of oversight that would have the POTENTIAL at least to affect multiple systems.
And yes, I realize that Windows drivers written by third-parties have been targetted, I find it amazingly amusing the native Windows drivers have been determined not to have this issue
---"What did I say that sounded like 'Tell me about your day?'"---
At least it isn't a dupe...
Error:
Great. I don't mean to sound like a troll, but @stake is really stretching for publicity here. 46 bytes? Do you realize how small the padding is? Yes, it's enough for a password, but keep in mind, that padding being sent out is transmitted from OLD FRAMES. These items have been transmitted before. Guess what kids? If you observe secure computing practices, such as using a encrypted login method (ssh comes to mind) and you mind your standard p's and q's, this problem should never be a PROBLEM. I am sorry, but as a professional that researches this stuff, I have to rate this vulnerability as a "really really low" and keep plugging on. In a perfect world, we would grab from urandom/random/null but this isn't a perfect world. Lets focus on remote root compromises, remote "system/admin" compromises, and lets also focus on getting IIS away from the industry. These are the REAL problems. Someone wake me up when @stake has a real advisory to give, something excellent that we are used to seeing from them, besides this trivial fluff they are going to over-hype.
/. but this will be the same position I give the Fortune 500 company I work for. /me wonders if my VP will mod me "troll" or "flamebait" =P
Mod me however you want, I'm a coward to
RFC1042 says "When necessary, the data field should be padded (with octets of zero)to meet the IEEE 802 minimum frame size requirements."
RFC 2119 says "3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."
(8-DCS)
I am sure someone will rush to correct me if I am wrong about this.
In Murphy We Turst
Cisco's Status/Statement
and
Full CERT Advisory
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Great, first we had users who posted replies without reading the articles.
Then we had editors who posted articles without checking if they had already been posted.
Now we have users who submit articles that are neither read by the user nor the editor before being posted.
What's next? The person who writes the article doesn't read it before a user sees the link, submits it for an editor to post twice in the same day?
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
Consider the length of time this so-called vulnerability has lurked in the device driver code for all those operating systems, than ask why no one discovered the problem sooner. Could it be that there's nothing to be worried about?
I'm guessing this problem has gone undetected so long because uber-short frames don't naturally occur on most Ethernet installations. Networks typically send real data, not empty frames, that's why we build them in the first place. You have to intentionally generate super-small frames if you want to see them. All the examples @Stake provides are based on ICMP Echo/Echo Replies, where you can specify the packet length at the command line. Show me some real network traffic that exhibits this problem, than I'll start to worry.
Still not convinced? Well, consider that you can't exploit the issue beyond even a single router, and that the vulnerability in most cases is just rehashed data, stuff that's already gone out on the wire. How big a security issue is that? Seems like the least of my problems. I'd worry more about one un-patched system on the network or one stupid marketroid opening a TELNET secession to the web server than I'd worry about this.
I'm going to go out on a limb here and declare this a non-issue. I'm sure the guys over at @Stake are happy to have something to show their bosses (and the media) so soon after the holidays, but it just doesn't look very serious from where I'm sitting.
The firm I was workign for at the time noticed this 6 years ago on AIX.
We informed CERT/IBM - nothing happened.
NOW it it makes all the headlines.
what impact does it have - none, unless the stuff in the PADing area contains the unencrypted data that was originally send encryped. Or am I missing something like I normally do?
this is uninformed spouting of the mouth.
you mean his post, or yours?
Block IMCP if you don't need it
Ahem; if you run TCP/IP, you always need it.
ICMP is used for control messages between systems - it's used for control messages (the 'C' and 'M' in ICMP) for TCP and UDP packets.
Without ICMP, your connections can take longer, or (in some cases) not work at all. All modern OSes support path MTU discovery - and PMTU discovery relies on ICMP messages. If you block these messages, your clients will be unable to reach sites if part of your path to them has a smaller MTU than the MTU of your local interface.
You may know a lot about SSH, but you don't know squat about TCP/IP. ICMP is used for more than just 'ping'.
If you don't know why by now, you haven't been paying attention.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Windows programmers talk about ZeroMemory and FillMemory, not memset. In drivers, that would be RtlZeroMemory and RtlFillMemory.
memset exists for compatibility, but it's just a wrapper around FillMemory.
memset is a standard C library function. Here's a hint: the standard C library exists under Windows, too. I have never called ZeroMemory or FillMemory, period.
Secondly, for security reasons, Windows ensures that no app will ever find remnants of another app's data in its memory space (all allocated memory is erased before is't given to the requester), which significantly reduces the risk that sensitive data would be transmitted.
please keep feeling safe because *n*x is so damn secure by defi^H^H^H^H religion.
Here is a clue for you.
This is about drivers, leaking kernel memory, not drivers leaking application memory.
Drivers are not applications, since drivers run in kernel space. Since memory is generally allocated in Linux by mmapping files, applications can not get "garbage data" from the operating system.
memset is part of the ISO/IEC 9899 standard for the C programming language. If your Windows library doesn't have it, complain to your vendor. This has nothing to do with Unix vs. Windows.
Han-Wen Nienhuys -- LilyPond
I've found another similar vulnerability in Windows IP stack. I'm sure that I am not the first to discover this but, it has existed for a long time and has never been fixed. I have verified the vulnerability on all Windows platforms except XP, which I simply haven't bothered to look at.
The "vulnerability" is very similar in behavior to the one described in the article but, is at the IP level rather than the link layer. The vulnerability has to do with padding of IP packets on Windows systems. Windows uses the contents of one of its buffers (sorry I can't say which one) to pad IP packets.
This is very easily reproducable when sniffing ping packets. The data portion of the packets are padded with the contents of the buffer. There are other utilities that demonstrate this behavior as well, but it is most easily reproduced with a simple ping and the bigger the ping packet the more data you'll see.
If you have been using IE and then sniff ping packets, you will see the data from your previous browsing. If you just logged in, you can sometimes find your password padding the ping packets.
As I said I have verified this on all WIndows platforms except XP. I have also looked for it on numerous Linux platforms and have NOT found Linux to suffer the same vulnerability. That is, Linux does NOT appear vulnerable.
If you read the actual CERT Vulnerability note and seen that Windows is not vulnerable.
Don't forget that after the vendors fixed it, the new drivers have to be re-certified and signed by Microsoft or their Great OSes[tm] will bark on everyone installing them - which wouldn't shine a bright light on the vendor.
Last thing I remember was that having a new driver certified by Microsoft takes several weeks to months.
An interesting question aside: If so many drivers (if you believe in the article's wording) are affected, why did they pass the Microsoft quality/security "certification" in the first place?
Seems to me that their certification tests aren't worth the bits they're written on - probably they just check that the drivers don't crash the system and so on. (well, and sometimes, not even this.)
42. Easy. What is 32 + 8 + 2?
Oh and I might add that this won't work over an IP connection only (e.g. across the net). You need to be on the same ethernet segment as the target. This greatly limits the usefulness again. While we're at it, if you were on their segment, and it's not switched, you likely already are seeing every packet the target machine transmits anyways. Oh and by the way, there's exploits out there already to make most switches give up this data as well, so in all likelyhood this gained you nothing.
11*43+456^2
When I first saw this, I thought to myself, "Surely Steve Gibson's name is on the report somewhere" because this is the sort of lunacy one usually finds his name on.
...and while it's good that the memory leakage is of contiguous bytes (otherwise they'd be entirely useless) seventeen bytes is a _really_ small window for any meaningful data to come through. If you were lucky, you might be able to get part of a (presumeably encrypted) password, or two and a half words from a typical email. It's also possible that fancy arp-foolery would get you *all* the victim's network traffic, making it the long and obnoxious way to go about doing something as simple as sniffing packets.
...What Eweek published about it was downright silly.
Much to my suprise, @Stake's name was on it. Looking further, I see that Eweek has genuinely made a mountain out of a molehill. Seventeen bytes of randomly chosen data can be snatched from a remote machine, provided it's literally in the same building as the attacker, and provided it's got a cheap-o network card. Pardon me while I quake in fear for the safety of the little children.
Why do we have to be in the same building? Because if the packet in question goes through most routers, they're quite likely to crumple the bits up and throw them away because of it's past use as a means for covert communication.
Their statement about it being "trivial to exploit" should have stopped at just saying it was "trivial". It was good of @Stake to bring this to the attention of programmers, although quite possibly publishing in PDF format made it look a little more important than it really is.
Thanks to some vagueness in the standards defining IP datagram transmission on Ethernet networks, it's not entirely clear exactly how the padding should be done. Some implementations do it on the NIC, while others handle it in the software device driver
Ding! This means that all NICs that have the problem have that problem under any OS unless the card can be overcome by software. Additionally, "software drivers" under any OS can have the same problem.
Is the problem more likely under, M$ junk? Of course it is. The free software world will move to fix any driver problems, and there are only a few dozen drivers in the world to work the thousands of different brand name cards. The closed source world has thousands of drivers to fix by companies that may not even exist anymore, and because it's closed and the user won't know any better, why would anyone bother?
Of course this completely ignores whole models that are available in the free software world to prevent such problems of untrusted networks in the first place. I don't really care if my NIC pads packets with chunks of the last SSH packet. Encryped noise is just that and you can have as many packets as you like of it. If you played it over a speaker it would sound like this "Shushshhshhhshhhhhshhhhsh!" and I sugest you do shush.
Friends don't help friends install M$ junk.