Snort mailing list archives
Re: Promiscuous interface hacks?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 01 May 2003 18:33:50 -0400
The fact that the interface is in promisc mode is more-or-less irrelevant to an attack involving buffer overflows, format strings, off-by-ones, and other memory-corruption-to-execute code style attacks.
The ONLY requirement for these attacks to work is that the data you send be processed in an unsafe manner. If a snort process sniffs packets off the ethernet interface and copies them into a local buffer in an unsafe manner, that overflow can be exploited for arbitrary code execution in exactly the same manner as any other buffer overflow.
Note that a buffer overflow need not be a plain jane "exec bin/sh over the already established tcp session"... That's just a very classic example that's commonly used against standard servers because the code size is small. After all, people do attack buffer overflows in UDP based services too.
Admittedly the snort bug wasn't a straightforward strcpy overflow, it was an off-by-one, but the attack is still valid and possible. The fact that snort isn't involved in a tcp session with you, and is instead sniffing packets does not make the attack impossible, just different.
At 09:47 AM 5/1/2003 -0500, Paul Schmehl wrote:
I admit I'm ignorant of this (which is why I'm asking the question), but I think this is probably the best list that I'm aware of to ask this question.Is anyone aware of any methods (or white papers describing methods) that describe ways that can be used to hack a box through a NIC that is in promiscuous mode? I'm curious because I'm wondering how serious the recent vulnerabilities in snort really are to a box that's set up in promiscuous mode.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VPN and UDP alerts Allan Dover (Apr 24)
- <Possible follow-ups>
- Re: VPN and UDP alerts Neil Dickey (Apr 25)
- Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: VPN and UDP alerts Allan Dover (Apr 28)
- Re: VPN and UDP alerts Allan Dover (Apr 29)