[TriLUG] Promiscuous mode on open network (nc.rr.com)?

Jeremy Portzer jeremyp at pobox.com
Wed Jul 2 11:30:19 EDT 2003


On Wed, 2003-07-02 at 09:54, Ryan Leathers wrote:

> Consider what could happen if you had an IP address bound to a NIC that
> was in promiscuous mode.  The host could be reached, and the NIC would
> accept everything on the wire.  This is a rootkit waiting to happen.  I
> have in my bag of tricks some binaries for those occasions when I
> discover an unauthorized IDS on my network.  One nifty example is a
> tcpdump exploit which returns an xterm from the target to my attack
> box.  Its accomplished through a buffer overflow of tcpdump.  This
> particular exploit is only possible because of the combination of three
> factors: tcpdump is running, the NIC is in promiscuous mode, an IP
> address is bound to this NIC. Also note that I generally get the xterm
> back as root.  (Yes, similar exploits exist for other applications which
> use promiscuous mode... and yes the original tcpdump BO exploit was
> patched with 3.6.1 but the subsequent BO2 sploit is still zero day to my
> knowledge)  The point is DON'T put interfaces you care about in
> promiscuous mode unless they are transparent.

On newer systems, tcpdump runs as the 'pcap' user so even if you can
exploit it, you won't get root access.  (Well, I guess you said
'generally' but I thought I'd point that out.)

--Jeremy


-- 
/=====================================================================\
| Jeremy Portzer       jeremyp at pobox.com       trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\=====================================================================/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030702/4ddc9fc5/attachment.pgp>


More information about the TriLUG mailing list