Snort mailing list archives
Re: Promiscuous interface hacks?
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 01 May 2003 10:48:18 -0500
Thanks, Frank. Are you aware of any papers on this subject that deal with the technical details?
--On Thursday, May 01, 2003 10:38:03 AM -0500 Frank Knobbe <fknobbe () knobbeits com> wrote:
On Thu, 2003-05-01 at 09:47, Paul Schmehl wrote:Is anyone aware of any methods (or white papers describing methods) that describe ways that can be used to hack a box through a NIC that is in promiscuous mode? I'm curious because I'm wondering how serious the recent vulnerabilities in snort really are to a box that's set up in promiscuous mode.Paul, I would say that when you have an interface in promiscuous mode, most (if not all) of the time you also have a second interface in normal mode. So any buffer overflow in Snort, tcpdump, ethereal etc could lead to execution of code. That code could establish a connection back to the attacker (reverse shell). That does not have to occur on the same interface. Instead, when you create a socket, the system will probably route the packets through the interface with the IP address automatically. Even if the box only has one NIC, the code could just wipe out all data on the hard disk. As long as there are applications using data from the network (promiscuously or not), and these apps have vulnerabilities, you are at risk. In other words, don't differentiate between promiscuous mode and normal mode. :) Regards, Frank
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VPN and UDP alerts Allan Dover (Apr 24)
- <Possible follow-ups>
- Re: VPN and UDP alerts Neil Dickey (Apr 25)
- Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: VPN and UDP alerts Allan Dover (Apr 28)
- Re: VPN and UDP alerts Allan Dover (Apr 29)