[Snort-sigs] Rule write up for sid 1382

Mark Vevers mark at ...390...
Fri Mar 1 04:25:05 EST 2002


#  Hope this is what you want ..... Mark
#  --
#  Mark Vevers.    mark at ...390... / mvevers at ...391...
#  Internet Backbone Engineering Team
#  Internet for Learning, Research Machines Plc
#  Tel: +44 1235 823380,   Fax: +44 1235 823424
#
#
# --------------------------------------------------------------------------
#
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp any any -> any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:2;) 
--
Sid: 1382

--
Summary: Root exploit for Ettercap Network Sniffer (Version <= 0.6.2)

--
Impact: Remote attacker is able to gain root shell on host running ettercap.

--
Detailed Information: A buffer overflow in the parsing of IRC traffic for 'nick' passwords enables a remote attacker to execute code of their choice as root on the compromised host.  This is as a result of an unchecked string copy of the captured password in the packet into the buffer used to store all retrieved passwords.  The same or very similar overlows exist for other string matches within this section of code in this and previous versions of ettercap. 

The exploit released by GOBBLES listens on port 0x8000 and provides a shell for the attacker.  Since ettercap is generaly run as root in order to have access to a promiscuous network interface, the shell will have uid=0 (root).
--
Attack Scenarios: Ettercap is likely to be deployed in 'sensitive' parts of the network where a network administrator is analysing passing traffic.  A compromise of a host in such a position will not only reveal any passwords already captured by ettercap to the attacker, but gives the attacker ample opportunity to analyse passing network traffic for further useful information.  The host will quite likely be used as a base for other attacks.

--
Ease of Attack: Very easy - exploit code pubished by 'GOBBLES' on vuln-dev - original posting can be seen here : http://online.securityfocus.com/archive/82/245128

--
False Positives: Unlikely as an 'IDENTIFY' message should not be more than 200 bytes in normal usage.

--
False Negatives: Although the rule is good match for the posted exploit - there are several other strings which would match in the vulnerable section of code.  A better match might be obtained by specifying 'IDENTIFY ' with the dzize > 200, although this may introduce more false positives. 

--
Corrective Action:
Upgrade to ettercap 0.6.3 or greater

--
Contributors: Mark Vevers

-- 
Additional References:
 http://online.securityfocus.com/archive/82/245128

-- 






More information about the Snort-sigs mailing list