[Snort-users] Promiscuous interface hacks?

Paul Schmehl pauls at ...6838...
Thu May 1 08:49:07 EDT 2003

Thanks, Frank.  Are you aware of any papers on this subject that deal with 
the technical details?

--On Thursday, May 01, 2003 10:38:03 AM -0500 Frank Knobbe 
<fknobbe at ...652...> wrote:

> On Thu, 2003-05-01 at 09:47, Paul Schmehl wrote:
>> Is anyone aware of any methods (or white papers describing methods) that
>> describe ways that can be used to hack a box through a NIC that is in
>> promiscuous mode?  I'm curious because I'm wondering how serious the
>> recent  vulnerabilities in snort really are to a box that's set up in
>> promiscuous  mode.
> Paul,
> I would say that when you have an interface in promiscuous mode, most
> (if not all) of the time you also have a second interface in normal
> mode. So any buffer overflow in Snort, tcpdump, ethereal etc could lead
> to execution of code. That code could establish a connection back to the
> attacker (reverse shell). That does not have to occur on the same
> interface. Instead, when you create a socket, the system will probably
> route the packets through the interface with the IP address
> automatically.
> Even if the box only has one NIC, the code could just wipe out all data
> on the hard disk. As long as there are applications using data from the
> network (promiscuously or not), and these apps have vulnerabilities, you
> are at risk. In other words, don't differentiate between promiscuous
> mode and normal mode. :)
> Regards,
> Frank

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list