Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unhealthy Sniffing

Posted by timothy on from the price-of-slurping dept.

Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."

11 of 49 comments (clear)

  1. other uses than spying. by gl4ss · · Score: 4, Informative

    network sniffers are useful for other things as well.

    just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..

    how about the windows port?

    --
    world was created 5 seconds before this post as it is.
    1. Re:other uses than spying. by silvercloak · · Score: 5, Informative

      The article makes this clear: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

  2. Ettercap by vasqzr · · Score: 4, Interesting

    Sounds like a good time to check out Ettercap

    Short Description:

    Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
    It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

  3. Not the worst thing in the world by Old+Uncle+Bill · · Score: 4, Insightful

    Yeah, I don't like remote root exploits any more than the next guy, but are there a lot of people who run this 24/7? For the one hour a week I run this tool, I'm not AS concerned as if it was my OS with those vulnerabilities *cough*Windows*cough*.

    --
    Yes, I am an agent of Satan, but my duties are largely ceremonial.
  4. Wardriving by DustMagnet · · Score: 4, Interesting

    These bugs can also be used to catch war drivers. Another trick I've seen in a white paper was to transmit fake traffic from an unused IP address and watch for reverse DNS lookups.

    --
    'SBEMAIL!' is better than a goat!!
  5. Re:passive scanner by DES · · Score: 5, Informative

    The right way to do passive scanning is with an ethernet cable that has the tx leads removed.

    Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.

    In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.

    (I write network analysis software for a living)

  6. Why don't distros use buffer overflow protection? by Homology · · Score: 4, Interesting
    13 remotely triggerable vulnerabilities were discovered in the multiprotocol packet sniffer Ethereal that allow remote compromise.

    Thanks to ProPolice on OpenBSD, these stack overflows will only lead to a crash, not a root exploit on this OS.

    Gentoo has a project called "Hardened Gentoo" where the stack overflow would just chrash the Ethereal.It's time the bigger Linux distros implement similar technology (that exist as PaX).

  7. Re:passive scanner by Elwood+P+Dowd · · Score: 4, Funny

    (I write network analysis software for a living)

    I write VB front ends to SQL databases for a living.

    I'm going to go with you on this one.

    --

    There are no trails. There are no trees out here.
  8. Congrats to Ethereal team for quick resolution by Paladine97 · · Score: 4, Insightful

    You've got to hand it to the ethereal team for their quick fixes.

    The bottom of the advisory states that they were made aware on the 5th of March, and by the 23rd of March all the holes were fixed.

  9. Re:Did they give the maintainers a heads up? by Grotus · · Score: 4, Informative
    From the article:
    Disclosure Timeline

    5 March 2004 Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.
    7 March 2004 IRDA hole closed (after checking specs)
    8 March 2004 PGM hole closed (after checking specs)
    9 March 2004 NetFlow hole closed (after checking specs)
    17 March 2004 UCP holes were discovered and mailed to vendor
    19 March 2004 UCP and TCAP holes closed (after checking specs)
    22 March 2004 Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week
    23 March 2004 Public Disclosure


    So, yes, they did let them know, and the holes have already been fixed.
    --
    "From my cold, dead hands you damn, dirty apes!" - CH
  10. I just use this filter: by g-san · · Score: 5, Funny

    tcp.flags.evilbit == 0