[Snort-users] Promiscuous interface hacks?

Paul Schmehl pauls at ...6838...
Thu May 1 15:43:27 EDT 2003


Thanks Matt.  What I'm trying to grasp is not whether or not the bo would 
work, but whether the attacker could then gain control of the box.  I can 
see how the bo would work, because snort is going to process the packets 
regardless of what is in them.

But once the bo is exploited, even if a root shell is obtained, how does 
the attacker then "get to" that shell?  Since there's no IP associated with 
it, I'm having trouble understanding how the attacker could then proceed to 
exploit the box.

--On Thursday, May 01, 2003 06:33:50 PM -0400 Matt Kettler 
<mkettler at ...4108...> wrote:

> The fact that the interface is in promisc mode is more-or-less irrelevant
> to an attack involving buffer overflows, format strings, off-by-ones, and
> other memory-corruption-to-execute code style attacks.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list