Snort mailing list archives

RE: Promiscuous interface hacks?

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Thu, 1 May 2003 10:16:38 -0600

Much of this is based on the assumption that any of these given daemons are
being run by root or superuser, which in many cases is true.  I have
hopefully mitigated many of these potential incidents by running with an
unprivileged user.

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com]
Sent: Thursday, May 01, 2003 9:38 AM
To: Paul Schmehl
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Promiscuous interface hacks?

On Thu, 2003-05-01 at 09:47, Paul Schmehl wrote:

Is anyone aware of any methods (or white papers describing methods) that 
describe ways that can be used to hack a box through a NIC that is in 
promiscuous mode?  I'm curious because I'm wondering how serious the

recent

vulnerabilities in snort really are to a box that's set up in promiscuous 
mode.



Paul,

I would say that when you have an interface in promiscuous mode, most
(if not all) of the time you also have a second interface in normal
mode. So any buffer overflow in Snort, tcpdump, ethereal etc could lead
to execution of code. That code could establish a connection back to the
attacker (reverse shell). That does not have to occur on the same
interface. Instead, when you create a socket, the system will probably
route the packets through the interface with the IP address
automatically.

Even if the box only has one NIC, the code could just wipe out all data
on the hard disk. As long as there are applications using data from the
network (promiscuously or not), and these apps have vulnerabilities, you
are at risk. In other words, don't differentiate between promiscuous
mode and normal mode. :)

Regards,
Frank





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Promiscuous interface hacks? Slighter, Tim (May 01)
- snort decoder /dev/null (May 01)
- <Possible follow-ups>
- Re: Promiscuous interface hacks? Carl (May 02)