Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unhealthy Sniffing

Posted by timothy on from the price-of-slurping dept.

Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."

38 of 49 comments (clear)

  1. other uses than spying. by gl4ss · · Score: 4, Informative

    network sniffers are useful for other things as well.

    just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..

    how about the windows port?

    --
    world was created 5 seconds before this post as it is.
    1. Re:other uses than spying. by silvercloak · · Score: 5, Informative

      The article makes this clear: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

    2. Re:other uses than spying. by dmayle · · Score: 1

      I agree wholeheartedly. I write systems management software, and my company often uses ethereal (on linux and windows) to check the contents of RPC calls, and other significant traffic...

    3. Re:other uses than spying. by firewrought · · Score: 1
      network sniffers are useful for other things as well.

      I was surprised to learn that a Windows port of Ethereal was packaged and deployed to our shared apps installation environment. Surprised because we're a pretty large and conservative company, and non-computer types are quick to find the potential downsides to a tool and categorize it as evil before the good side can be seen.

      Anyways, Ethereal has been very helpful for exploring a variety of problems w/the different software we fool with. This gives us another way to "peer inside the box" of proprietary applications. For instance: Crystal Reports is a reporting package that has a "subreports" feature. A subreport can be an external file that Crystal pulls in every time you open the main report. The troublesome thing is that Crystal doesn't tell you where the external file is located. But w/Ethereal, we can see the files being pulled over the network. This was an invaluable shortcut to figuring out what the hell was going on.

      I appear to be on a switched ethernet segment, so I'm not in danger of breaking anyone's privacy if I were to use the tool in promiscuous mode (like I sometimes did in college :-).

      --
      -1, Too Many Layers Of Abstraction
    4. Re:other uses than spying. by RevDobbs · · Score: 1
      . . . my company often uses ethereal (on linux and windows) to check the contents of RPC calls, and other significant traffic...

      Same here... althought my idea of "significant traffic" is new pr0n sites that the comptroller hasn't told be about yet..

  2. passive scanner by climberkid · · Score: 1

    Will ethereal work as a passive scanner? Like used to grab packets from a MAC filtered wi-fi network that you do not have access to?

    1. Re:passive scanner by Elwood+P+Dowd · · Score: 3, Interesting

      The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

      I imagine that the right way to do passive wifi scanning would require support from your driver and hardware, to ensure that you were not transmitting any packets at all.

      And no, I don't know anything about Ethereal. I'll shut up now.

      --

      There are no trails. There are no trees out here.
    2. Re:passive scanner by Anonymous Coward · · Score: 3, Interesting
      The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

      Yea, but a common way to configure the sensors is to have one side plugged into the "trusted" internal network and the other side as an un-addressed interface in promiscuous mode. Ideally this would prevent someone on the outside from ever hopping into your internal LAN, but even if you cut the tx leads, the recent vulnerabilities in snort and I assume ethereal would allow a remote attacker on the untrusted network to exploit your sensor and gain access to your internal net which undoubtably has access to the Internet through some mechanism to talk back to the attacker. Lovely. Moral of the story is to use an isolated admin net for the sensors so if they get compromised, no big deal.

    3. Re:passive scanner by DES · · Score: 5, Informative

      The right way to do passive scanning is with an ethernet cable that has the tx leads removed.

      Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

      In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.

      (I write network analysis software for a living)

    4. Re:passive scanner by Elwood+P+Dowd · · Score: 4, Funny

      (I write network analysis software for a living)

      I write VB front ends to SQL databases for a living.

      I'm going to go with you on this one.

      --

      There are no trails. There are no trees out here.
    5. Re:passive scanner by Hast · · Score: 1

      IIRC I've read reports that you can "un-twist" the TX cable-pair and that will destroy the signal while still providing enough to make the switch keep the port open. Some experimentation may be required though.

    6. Re:passive scanner by Rick.C · · Score: 2, Informative
      Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all.

      It's true that you can't just cut the tx wire, but you _can_ rig it so a hub can see it but no xmit will occur.

      Search google for "sniffer +stealth". There is a site with plans to build a non-transmitting cable. It also discusses the theory of how it works. (I can't verify a link because those kinds of sites are blocked here at work.) It involves cutting _one_ of the TX wires and inserting a capacitor in series to form a hi-pass (or is it low-pass?) filter. This causes the hub to see all "1" bits (and out of parity) from the NIC. The hub will turn on the link light even though it never gets good data, so then the NIC can receive just fine.

      I've built one of these into an inline RJ-45 coupler and it works great. As explained on the site, the value of the capacitor depends in the ethernet speed, so it's different for 10mb or 100mb.
      --
      You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
      "Math in a song is good."-Linford
    7. Re:passive scanner by Anonymous Coward · · Score: 3, Informative

      Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

      In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.

      (I write network analysis software for a living)

      Ok.. UTP 101.. let's use EIA/TIA568B FastEthernet here (toss this out if you're sniffing GigE traffic)...

      pin 1 -> white/orange
      pin 2 -> orange
      pin 3 -> white/green
      pin 6 -> green

      Following traffic from switch to host, the pins are as follows:

      pin 1: RX+ (receives from host)
      pin 2: RX-
      pin 3: TX+ (transmits to host)
      pin 6: TX-

      The *proper* way to do this is start with a normal cable. At the host end, cut into the cable jacketing a little ways up from the terminator and cut the white/orange and orange wires, then solder lead 1 to 3 and lead 2 to lead 6 (white/orange to white/green and orange to green). Do this for the side of the cable headed towards the switch and leave pins 1 & 2 "dangling" to the host. The cable is unidirectional and it can only connect between the switch and host *one way*. This is safer than depending on an unaddressed promiscuous port because there is phyically *no way* for data to get to the switch from the host, but the host will see everything on the wire.

      You can get a little more freaky and use a small capacitor inline (I can't recall the value at the moment, but it's specific to the speed of the wire) to simply put too much noise to pass traffic but not so much as to drop the connection, but the solution above works just swimmingly well if you're handy doing small task soldering and wire stripping.

      (I sniff networks for a living)

    8. Re:passive scanner by Anonymous Coward · · Score: 1, Informative

      A passive tap isn't nasty from an electrical perspective and is trivial to create with 30 minutes and $25 worth of parts from Home Depot and Radio Shack.

      Take four RJ-45 jacks and straight connect all eight pins on two of them. Then take pins 1 & 2 from one jack and connect to pins 3 & 6 on one of the unused jacks. That's Tap Port 1 and will only see data running one direction on the wires. Now take the other fully-wired jack and connect pins 3 & 6 on that one to pins 3 & 6 on the remaining unused jack. That's now Tap Port 2 and again sees unidirectional traffic on the wires, flowing the opposite direction from Tap 1.

      Pretty easy and quite handy for all sorts of things.

    9. Re:passive scanner by lance2323 · · Score: 1

      The way I have always done passive scanning is from the router. (assuming you are on the network and not tapping into it) You have the router copy all the packets to an entirely different port so your sniffer is off the main network. Therefore it is really impossibe to affect the network.

  3. Ettercap by vasqzr · · Score: 4, Interesting

    Sounds like a good time to check out Ettercap

    Short Description:

    Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
    It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

    1. Re:Ettercap by Anonymous Coward · · Score: 1, Informative
      Sounds like a good time to check out Ettercap.

      And what? List it's buffer overflows? You aren't saying it exploit free, are you?

      A patched Ethereal will be out in a few days. I think you'd be better off with that.

  4. Not the worst thing in the world by Old+Uncle+Bill · · Score: 4, Insightful

    Yeah, I don't like remote root exploits any more than the next guy, but are there a lot of people who run this 24/7? For the one hour a week I run this tool, I'm not AS concerned as if it was my OS with those vulnerabilities *cough*Windows*cough*.

    --
    Yes, I am an agent of Satan, but my duties are largely ceremonial.
  5. Privilege separation by Anonymous Coward · · Score: 1, Insightful

    There is no reason the Ethereal GUI or protocol analysis code needs to run as root. It should drop privileges as soon as it begins sniffing.

    1. Re:Privilege separation by Phillup · · Score: 2, Interesting

      I use tcpdump to capture what is on the wire... which is run as root.

      Then, as a non-root user, I pull the data into ethereal.

      I do this because the network is over a thousand miles away and the machines don't even have X on them... so... I capture remotely and then look at the data on my workstation.

      --

      --Phillip

      Can you say BIRTH TAX
    2. Re:Privilege separation by ACPosterChild · · Score: 1

      Our network is only ~230 miles away.

      But it's straight up. :)

      We do have X, and KDE even. All the good it does us...

    3. Re:Privilege separation by TheLink · · Score: 1

      tcpdump has had similar problems.

      I wonder if linkcat might be safer - it might not do as much parsing as tcpdump.

      http://www.doxpara.com/read.php/docs/lc_logs.htm l

      --
  6. Wardriving by DustMagnet · · Score: 4, Interesting

    These bugs can also be used to catch war drivers. Another trick I've seen in a white paper was to transmit fake traffic from an unused IP address and watch for reverse DNS lookups.

    --
    'SBEMAIL!' is better than a goat!!
  7. This is very unfortunate by n1ywb · · Score: 3, Insightful

    Ethereal is a valuable network diagnostic tool. It has saved my ass a couple of times, and it has been helpful many times. I was the only person in my Networks class in college that was able to do my assignments from my room, everybody else had to go to the lab to use the commercial sniffer.

    On the other hand, 13 vulnerabilities isn't too terrible and hopefully they'll get them patched up straight away. I'm sure that your average commercial packet sniffer probably is probably just as bad or worse, and those bugs aren't getting fixed.

    --
    -73, de n1ywb
    www.n1ywb.com
    1. Re:This is very unfortunate by Phillup · · Score: 2, Insightful

      It would be unfortunate if it was a closed source application and the company had no desire to fix the problems.

      That isn't the case.

      This is just another step in making the product even better than it already is...

      --

      --Phillip

      Can you say BIRTH TAX
  8. Why don't distros use buffer overflow protection? by Homology · · Score: 4, Interesting
    13 remotely triggerable vulnerabilities were discovered in the multiprotocol packet sniffer Ethereal that allow remote compromise.

    Thanks to ProPolice on OpenBSD, these stack overflows will only lead to a crash, not a root exploit on this OS.

    Gentoo has a project called "Hardened Gentoo" where the stack overflow would just chrash the Ethereal.It's time the bigger Linux distros implement similar technology (that exist as PaX).

  9. Unhealthy sniffing? by grammaticaster · · Score: 1

    Want to know about unhealthy sniffing? Hang out in the sysadmin's office at my old job for ten minutes.

  10. Did they give the maintainers a heads up? by xsecrets · · Score: 1

    The article says that they found the vunerabilities during a code audit with an ethereal vendor, but it doesn't mention if they let the ethereal maintainers know about the problems before they released the report. If they did I would imagine we will have a new version with these bugs squashed rather quickly. If they did not I would say that is rather lame of them.

    1. Re:Did they give the maintainers a heads up? by Grotus · · Score: 4, Informative
      From the article:
      Disclosure Timeline

      5 March 2004 Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.
      7 March 2004 IRDA hole closed (after checking specs)
      8 March 2004 PGM hole closed (after checking specs)
      9 March 2004 NetFlow hole closed (after checking specs)
      17 March 2004 UCP holes were discovered and mailed to vendor
      19 March 2004 UCP and TCAP holes closed (after checking specs)
      22 March 2004 Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week
      23 March 2004 Public Disclosure


      So, yes, they did let them know, and the holes have already been fixed.
      --
      "From my cold, dead hands you damn, dirty apes!" - CH
    2. Re:Did they give the maintainers a heads up? by nacturation · · Score: 2, Informative

      It's in TFA:

      Disclosure Timeline

      5 March 2004
      Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.

      7 March 2004
      IRDA hole closed (after checking specs)

      8 March 2004
      PGM hole closed (after checking specs)

      9 March 2004
      NetFlow hole closed (after checking specs)

      17 March 2004
      UCP holes were discovered and mailed to vendor

      19 March 2004
      UCP and TCAP holes closed (after checking specs)

      22 March 2004
      Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week

      23 March 2004
      Public Disclosure

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  11. Congrats to Ethereal team for quick resolution by Paladine97 · · Score: 4, Insightful

    You've got to hand it to the ethereal team for their quick fixes.

    The bottom of the advisory states that they were made aware on the 5th of March, and by the 23rd of March all the holes were fixed.

  12. I just use this filter: by g-san · · Score: 5, Funny

    tcp.flags.evilbit == 0
    1. Re:I just use this filter: by ulrikp · · Score: 1

      This is, of course, a reference to RFC 3514, which in my humble opinion was the best April Fool's joke on Slashdot last year.

      Ulrik

      --
      Database engine for analyzed or annotated text
  13. Re:BUT WHERE CAN I GET IT? by Paladine97 · · Score: 1

    The article said that the release would be out within the week.

  14. +1 Poor Bastard by djcapelis · · Score: 2, Funny

    Another case of needing a new moderation...

    --
    I touch computers in naughty places
  15. Ethereal the new Sendmail by Ed+Avis · · Score: 1

    It's surprising how many vulnerabilities are found in Ethereal - this report is certainly not the first. And they tend to be root vulnerabilities.

    Really, it's amazing that software like Ethereal, intended as a security tool, wasn't written with a bit more care and attention to avoid buffer overflows and similar causes of exploits. Normally one would expect something that needs to run as root and accept arbitrary data from the network interface to be written with extra caution and paranoia.

    --
    -- Ed Avis ed@membled.com
  16. Dynamic compilation? by tepples · · Score: 1

    WX protection (can't execute in areas of write perm/ vice-versa)

    How does this work with programs that dynamically compile things, such as a virtual machine for Sun's Java platform?

  17. The up side by Anonymous Coward · · Score: 1, Funny

    You get to see lots of detailed info about the cracker's bits as they're attacking your pc :)