[TriLUG] Promiscuous mode on open network (nc.rr.com)?
Jeremy Portzer
jeremyp at pobox.com
Wed Jul 2 11:30:19 EDT 2003
On Wed, 2003-07-02 at 09:54, Ryan Leathers wrote:
> Consider what could happen if you had an IP address bound to a NIC that
> was in promiscuous mode. The host could be reached, and the NIC would
> accept everything on the wire. This is a rootkit waiting to happen. I
> have in my bag of tricks some binaries for those occasions when I
> discover an unauthorized IDS on my network. One nifty example is a
> tcpdump exploit which returns an xterm from the target to my attack
> box. Its accomplished through a buffer overflow of tcpdump. This
> particular exploit is only possible because of the combination of three
> factors: tcpdump is running, the NIC is in promiscuous mode, an IP
> address is bound to this NIC. Also note that I generally get the xterm
> back as root. (Yes, similar exploits exist for other applications which
> use promiscuous mode... and yes the original tcpdump BO exploit was
> patched with 3.6.1 but the subsequent BO2 sploit is still zero day to my
> knowledge) The point is DON'T put interfaces you care about in
> promiscuous mode unless they are transparent.
On newer systems, tcpdump runs as the 'pcap' user so even if you can
exploit it, you won't get root access. (Well, I guess you said
'generally' but I thought I'd point that out.)
--Jeremy
--
/=====================================================================\
| Jeremy Portzer jeremyp at pobox.com trilug.org/~jeremy |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F E135 6F9F F7BC CC1A 7B92 |
\=====================================================================/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030702/4ddc9fc5/attachment.pgp>
More information about the TriLUG
mailing list