Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unhealthy Sniffing

Posted by timothy on from the price-of-slurping dept.

Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."

49 comments

  1. other uses than spying. by gl4ss · · Score: 4, Informative

    network sniffers are useful for other things as well.

    just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..

    how about the windows port?

    --
    world was created 5 seconds before this post as it is.
    1. Re:other uses than spying. by silvercloak · · Score: 5, Informative

      The article makes this clear: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

    2. Re:other uses than spying. by dmayle · · Score: 1

      I agree wholeheartedly. I write systems management software, and my company often uses ethereal (on linux and windows) to check the contents of RPC calls, and other significant traffic...

    3. Re:other uses than spying. by Anonymous Coward · · Score: 0
      network sniffers are useful for other things as well.

      just this spring had to use ethereal on one networking course

      Thanks so very much.
    4. Re:other uses than spying. by firewrought · · Score: 1
      network sniffers are useful for other things as well.

      I was surprised to learn that a Windows port of Ethereal was packaged and deployed to our shared apps installation environment. Surprised because we're a pretty large and conservative company, and non-computer types are quick to find the potential downsides to a tool and categorize it as evil before the good side can be seen.

      Anyways, Ethereal has been very helpful for exploring a variety of problems w/the different software we fool with. This gives us another way to "peer inside the box" of proprietary applications. For instance: Crystal Reports is a reporting package that has a "subreports" feature. A subreport can be an external file that Crystal pulls in every time you open the main report. The troublesome thing is that Crystal doesn't tell you where the external file is located. But w/Ethereal, we can see the files being pulled over the network. This was an invaluable shortcut to figuring out what the hell was going on.

      I appear to be on a switched ethernet segment, so I'm not in danger of breaking anyone's privacy if I were to use the tool in promiscuous mode (like I sometimes did in college :-).

      --
      -1, Too Many Layers Of Abstraction
    5. Re:other uses than spying. by RevDobbs · · Score: 1
      . . . my company often uses ethereal (on linux and windows) to check the contents of RPC calls, and other significant traffic...

      Same here... althought my idea of "significant traffic" is new pr0n sites that the comptroller hasn't told be about yet..

  2. passive scanner by climberkid · · Score: 1

    Will ethereal work as a passive scanner? Like used to grab packets from a MAC filtered wi-fi network that you do not have access to?

    1. Re:passive scanner by Anonymous Coward · · Score: 0

      Yes. As long as your NIC is in monitor mode.

    2. Re:passive scanner by Elwood+P+Dowd · · Score: 3, Interesting

      The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

      I imagine that the right way to do passive wifi scanning would require support from your driver and hardware, to ensure that you were not transmitting any packets at all.

      And no, I don't know anything about Ethereal. I'll shut up now.

      --

      There are no trails. There are no trees out here.
    3. Re:passive scanner by Anonymous Coward · · Score: 3, Interesting
      The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

      Yea, but a common way to configure the sensors is to have one side plugged into the "trusted" internal network and the other side as an un-addressed interface in promiscuous mode. Ideally this would prevent someone on the outside from ever hopping into your internal LAN, but even if you cut the tx leads, the recent vulnerabilities in snort and I assume ethereal would allow a remote attacker on the untrusted network to exploit your sensor and gain access to your internal net which undoubtably has access to the Internet through some mechanism to talk back to the attacker. Lovely. Moral of the story is to use an isolated admin net for the sensors so if they get compromised, no big deal.

    4. Re:passive scanner by DES · · Score: 5, Informative

      The right way to do passive scanning is with an ethernet cable that has the tx leads removed.

      Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

      In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.

      (I write network analysis software for a living)

    5. Re:passive scanner by Elwood+P+Dowd · · Score: 4, Funny

      (I write network analysis software for a living)

      I write VB front ends to SQL databases for a living.

      I'm going to go with you on this one.

      --

      There are no trails. There are no trees out here.
    6. Re:passive scanner by Hast · · Score: 1

      IIRC I've read reports that you can "un-twist" the TX cable-pair and that will destroy the signal while still providing enough to make the switch keep the port open. Some experimentation may be required though.

    7. Re:passive scanner by Rick.C · · Score: 2, Informative
      Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all.

      It's true that you can't just cut the tx wire, but you _can_ rig it so a hub can see it but no xmit will occur.

      Search google for "sniffer +stealth". There is a site with plans to build a non-transmitting cable. It also discusses the theory of how it works. (I can't verify a link because those kinds of sites are blocked here at work.) It involves cutting _one_ of the TX wires and inserting a capacitor in series to form a hi-pass (or is it low-pass?) filter. This causes the hub to see all "1" bits (and out of parity) from the NIC. The hub will turn on the link light even though it never gets good data, so then the NIC can receive just fine.

      I've built one of these into an inline RJ-45 coupler and it works great. As explained on the site, the value of the capacitor depends in the ethernet speed, so it's different for 10mb or 100mb.
      --
      You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
      "Math in a song is good."-Linford
    8. Re:passive scanner by Anonymous Coward · · Score: 3, Informative

      Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

      In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.

      (I write network analysis software for a living)

      Ok.. UTP 101.. let's use EIA/TIA568B FastEthernet here (toss this out if you're sniffing GigE traffic)...

      pin 1 -> white/orange
      pin 2 -> orange
      pin 3 -> white/green
      pin 6 -> green

      Following traffic from switch to host, the pins are as follows:

      pin 1: RX+ (receives from host)
      pin 2: RX-
      pin 3: TX+ (transmits to host)
      pin 6: TX-

      The *proper* way to do this is start with a normal cable. At the host end, cut into the cable jacketing a little ways up from the terminator and cut the white/orange and orange wires, then solder lead 1 to 3 and lead 2 to lead 6 (white/orange to white/green and orange to green). Do this for the side of the cable headed towards the switch and leave pins 1 & 2 "dangling" to the host. The cable is unidirectional and it can only connect between the switch and host *one way*. This is safer than depending on an unaddressed promiscuous port because there is phyically *no way* for data to get to the switch from the host, but the host will see everything on the wire.

      You can get a little more freaky and use a small capacitor inline (I can't recall the value at the moment, but it's specific to the speed of the wire) to simply put too much noise to pass traffic but not so much as to drop the connection, but the solution above works just swimmingly well if you're handy doing small task soldering and wire stripping.

      (I sniff networks for a living)

    9. Re:passive scanner by Anonymous Coward · · Score: 0

      Snort kids do it by creating a tee in the cable, so the 'Alice' and 'Bob' of the normal machine (most likely a gateway or WAN modem) and hub/switch see each other as usual.

      Horribly nasty from an 'electrical' perspective, but apparently your average ethernet PHY can cope. (I've heard relatedly evil tales of wiring UTP without hubs, but I'm not sure I can fathom or believe those.)

    10. Re:passive scanner by Anonymous Coward · · Score: 1, Informative

      A passive tap isn't nasty from an electrical perspective and is trivial to create with 30 minutes and $25 worth of parts from Home Depot and Radio Shack.

      Take four RJ-45 jacks and straight connect all eight pins on two of them. Then take pins 1 & 2 from one jack and connect to pins 3 & 6 on one of the unused jacks. That's Tap Port 1 and will only see data running one direction on the wires. Now take the other fully-wired jack and connect pins 3 & 6 on that one to pins 3 & 6 on the remaining unused jack. That's now Tap Port 2 and again sees unidirectional traffic on the wires, flowing the opposite direction from Tap 1.

      Pretty easy and quite handy for all sorts of things.

    11. Re:passive scanner by Anonymous Coward · · Score: 0

      you can't? gee I think you can. (from the snort homepage)
      http://www.snort.org/docs/tap/

    12. Re:passive scanner by lance2323 · · Score: 1

      The way I have always done passive scanning is from the router. (assuming you are on the network and not tapping into it) You have the router copy all the packets to an entirely different port so your sniffer is off the main network. Therefore it is really impossibe to affect the network.

    13. Re:passive scanner by Anonymous Coward · · Score: 0

      Nah, untwisting the cable, will just make your TV and radio stop working. The network will be slower and more error prone but will still work.

      I've used about 6 ft non-twisted pair cables before in a pinch and was still able to transfer data. This was even on a 100mbit network. I wasn't transferring files just using it for an interactive connection but any slowdown wasn't noticible for that purpose.

  3. Ettercap by vasqzr · · Score: 4, Interesting

    Sounds like a good time to check out Ettercap

    Short Description:

    Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
    It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

    1. Re:Ettercap by Anonymous Coward · · Score: 1, Informative
      Sounds like a good time to check out Ettercap.

      And what? List it's buffer overflows? You aren't saying it exploit free, are you?

      A patched Ethereal will be out in a few days. I think you'd be better off with that.

    2. Re:Ettercap by Anonymous Coward · · Score: 0

      Better the devil known than the devil unknown. How many exploits does Ettercap have?

  4. Not the worst thing in the world by Old+Uncle+Bill · · Score: 4, Insightful

    Yeah, I don't like remote root exploits any more than the next guy, but are there a lot of people who run this 24/7? For the one hour a week I run this tool, I'm not AS concerned as if it was my OS with those vulnerabilities *cough*Windows*cough*.

    --
    Yes, I am an agent of Satan, but my duties are largely ceremonial.
  5. Privilege separation by Anonymous Coward · · Score: 1, Insightful

    There is no reason the Ethereal GUI or protocol analysis code needs to run as root. It should drop privileges as soon as it begins sniffing.

    1. Re:Privilege separation by Phillup · · Score: 2, Interesting

      I use tcpdump to capture what is on the wire... which is run as root.

      Then, as a non-root user, I pull the data into ethereal.

      I do this because the network is over a thousand miles away and the machines don't even have X on them... so... I capture remotely and then look at the data on my workstation.

      --

      --Phillip

      Can you say BIRTH TAX
    2. Re:Privilege separation by ACPosterChild · · Score: 1

      Our network is only ~230 miles away.

      But it's straight up. :)

      We do have X, and KDE even. All the good it does us...

    3. Re:Privilege separation by TheLink · · Score: 1

      tcpdump has had similar problems.

      I wonder if linkcat might be safer - it might not do as much parsing as tcpdump.

      http://www.doxpara.com/read.php/docs/lc_logs.htm l

      --
  6. Wardriving by DustMagnet · · Score: 4, Interesting

    These bugs can also be used to catch war drivers. Another trick I've seen in a white paper was to transmit fake traffic from an unused IP address and watch for reverse DNS lookups.

    --
    'SBEMAIL!' is better than a goat!!
  7. This is very unfortunate by n1ywb · · Score: 3, Insightful

    Ethereal is a valuable network diagnostic tool. It has saved my ass a couple of times, and it has been helpful many times. I was the only person in my Networks class in college that was able to do my assignments from my room, everybody else had to go to the lab to use the commercial sniffer.

    On the other hand, 13 vulnerabilities isn't too terrible and hopefully they'll get them patched up straight away. I'm sure that your average commercial packet sniffer probably is probably just as bad or worse, and those bugs aren't getting fixed.

    --
    -73, de n1ywb
    www.n1ywb.com
    1. Re:This is very unfortunate by Phillup · · Score: 2, Insightful

      It would be unfortunate if it was a closed source application and the company had no desire to fix the problems.

      That isn't the case.

      This is just another step in making the product even better than it already is...

      --

      --Phillip

      Can you say BIRTH TAX
  8. Why don't distros use buffer overflow protection? by Homology · · Score: 4, Interesting
    13 remotely triggerable vulnerabilities were discovered in the multiprotocol packet sniffer Ethereal that allow remote compromise.

    Thanks to ProPolice on OpenBSD, these stack overflows will only lead to a crash, not a root exploit on this OS.

    Gentoo has a project called "Hardened Gentoo" where the stack overflow would just chrash the Ethereal.It's time the bigger Linux distros implement similar technology (that exist as PaX).

  9. Re:Why don't distros use buffer overflow protectio by Anonymous Coward · · Score: 0

    you can skip over the canary that ProPolice implements; however OpenBSD is still secure because of its paranoia concerning buffer overflows:

    stack-gap randomization...
    the .rodata section
    PROT_EXEC purity
    WX protection (can't execute in areas of write perm/ vice-versa)

  10. Unhealthy sniffing? by grammaticaster · · Score: 1

    Want to know about unhealthy sniffing? Hang out in the sysadmin's office at my old job for ten minutes.

  11. Did they give the maintainers a heads up? by xsecrets · · Score: 1

    The article says that they found the vunerabilities during a code audit with an ethereal vendor, but it doesn't mention if they let the ethereal maintainers know about the problems before they released the report. If they did I would imagine we will have a new version with these bugs squashed rather quickly. If they did not I would say that is rather lame of them.

    1. Re:Did they give the maintainers a heads up? by Grotus · · Score: 4, Informative
      From the article:
      Disclosure Timeline

      5 March 2004 Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.
      7 March 2004 IRDA hole closed (after checking specs)
      8 March 2004 PGM hole closed (after checking specs)
      9 March 2004 NetFlow hole closed (after checking specs)
      17 March 2004 UCP holes were discovered and mailed to vendor
      19 March 2004 UCP and TCAP holes closed (after checking specs)
      22 March 2004 Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week
      23 March 2004 Public Disclosure


      So, yes, they did let them know, and the holes have already been fixed.
      --
      "From my cold, dead hands you damn, dirty apes!" - CH
    2. Re:Did they give the maintainers a heads up? by nacturation · · Score: 2, Informative

      It's in TFA:

      Disclosure Timeline

      5 March 2004
      Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.

      7 March 2004
      IRDA hole closed (after checking specs)

      8 March 2004
      PGM hole closed (after checking specs)

      9 March 2004
      NetFlow hole closed (after checking specs)

      17 March 2004
      UCP holes were discovered and mailed to vendor

      19 March 2004
      UCP and TCAP holes closed (after checking specs)

      22 March 2004
      Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week

      23 March 2004
      Public Disclosure

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  12. Congrats to Ethereal team for quick resolution by Paladine97 · · Score: 4, Insightful

    You've got to hand it to the ethereal team for their quick fixes.

    The bottom of the advisory states that they were made aware on the 5th of March, and by the 23rd of March all the holes were fixed.

  13. BUT WHERE CAN I GET IT? by Anonymous Coward · · Score: 0
    The bottom of the advisory states that they were made aware on the 5th of March, and by the 23rd of March all the holes were fixed.

    but I can't find 0.10.3 anywhere!

    It's not on the offical ftp site: ftp://ftp.ethereal.com/pub/ethereal/

    Nor is it on the source forge page: http://sourceforge.net/project/showfiles.php?group _id=255

    1. Re:BUT WHERE CAN I GET IT? by Paladine97 · · Score: 1

      The article said that the release would be out within the week.

  14. I just use this filter: by g-san · · Score: 5, Funny

    tcp.flags.evilbit == 0
    1. Re:I just use this filter: by ulrikp · · Score: 1

      This is, of course, a reference to RFC 3514, which in my humble opinion was the best April Fool's joke on Slashdot last year.

      Ulrik

      --
      Database engine for analyzed or annotated text
  15. LOL! by Anonymous Coward · · Score: 0

    Seriously. Most "+Funny" stuff here barely makes me crack a grin, but that was truly laugh-out-loud hilarious. Well done!

  16. +1 Poor Bastard by djcapelis · · Score: 2, Funny

    Another case of needing a new moderation...

    --
    I touch computers in naughty places
  17. Ethereal the new Sendmail by Ed+Avis · · Score: 1

    It's surprising how many vulnerabilities are found in Ethereal - this report is certainly not the first. And they tend to be root vulnerabilities.

    Really, it's amazing that software like Ethereal, intended as a security tool, wasn't written with a bit more care and attention to avoid buffer overflows and similar causes of exploits. Normally one would expect something that needs to run as root and accept arbitrary data from the network interface to be written with extra caution and paranoia.

    --
    -- Ed Avis ed@membled.com
  18. no proof of concept by Anonymous Coward · · Score: 0

    so who cares? without proof this guy could say anything (although i beleive him)
    Proof of Concept is what would really impress me.

  19. Dynamic compilation? by tepples · · Score: 1

    WX protection (can't execute in areas of write perm/ vice-versa)

    How does this work with programs that dynamically compile things, such as a virtual machine for Sun's Java platform?

    1. Re:Dynamic compilation? by Anonymous Coward · · Score: 0

      well first of all Java is interpreted at that level (as far as I know -- yes there's gcj...); second I think its a gcc patch or similar for C/C++

      so my guess is the VM contains the added functionality to translate the byte-code (like when it initializes a memory location) whenever it sees a "new" or possibly assignment. Java itself might already have this check (part of the sandbox)

      This is a good question and one I'm probably not quite qualified to answer (I don't run OpenBSD myself; it was just something I learned in my security class @ Purdue)

  20. The up side by Anonymous Coward · · Score: 1, Funny

    You get to see lots of detailed info about the cracker's bits as they're attacking your pc :)