[Snort-users] Promiscuous interface hacks?

Frank Knobbe fknobbe at ...652...
Thu May 1 08:39:18 EDT 2003


On Thu, 2003-05-01 at 09:47, Paul Schmehl wrote:
> Is anyone aware of any methods (or white papers describing methods) that 
> describe ways that can be used to hack a box through a NIC that is in 
> promiscuous mode?  I'm curious because I'm wondering how serious the recent 
> vulnerabilities in snort really are to a box that's set up in promiscuous 
> mode.


Paul,

I would say that when you have an interface in promiscuous mode, most
(if not all) of the time you also have a second interface in normal
mode. So any buffer overflow in Snort, tcpdump, ethereal etc could lead
to execution of code. That code could establish a connection back to the
attacker (reverse shell). That does not have to occur on the same
interface. Instead, when you create a socket, the system will probably
route the packets through the interface with the IP address
automatically.

Even if the box only has one NIC, the code could just wipe out all data
on the hard disk. As long as there are applications using data from the
network (promiscuously or not), and these apps have vulnerabilities, you
are at risk. In other words, don't differentiate between promiscuous
mode and normal mode. :)

Regards,
Frank



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030501/6a30bfff/attachment.sig>


More information about the Snort-users mailing list