AntiSniff DNS Overflow Vulnerability
BID:1207
Info
AntiSniff DNS Overflow Vulnerability
| Bugtraq ID: | 1207 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | May 16 2000 12:00AM |
| Updated: | May 16 2000 12:00AM |
| Credit: | This problem was discovered by Hugo Breton ([email protected]) who works for PGCI http://www.pgci.ca and was published by L0pht/@Stake in a vendor advisory 5.15.2000. |
| Vulnerable: |
@Stake AntiSniff - Researchers Version 1.0 @Stake AntiSniff 1.0.1 |
| Not Vulnerable: | |
Discussion
AntiSniff DNS Overflow Vulnerability
Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.
This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.
NOTE:
This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.
Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.
This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.
NOTE:
This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.
Exploit / POC
AntiSniff DNS Overflow Vulnerability
exploit available
exploit available
Solution / Fix
AntiSniff DNS Overflow Vulnerability
Solution:
Immediate Solution:
Do not run the DNS tests on AntiSniff version 1.01 or the Researchers version 1.0. Download the newer version from http://www.l0pht.com/antisniff which are labeled AntiSniff version 1.02 for the commercial instance and AntiSniff version 1-1 for the researchers instance.
@Stake AntiSniff - Researchers Version 1.0
@Stake AntiSniff 1.0.1
Solution:
Immediate Solution:
Do not run the DNS tests on AntiSniff version 1.01 or the Researchers version 1.0. Download the newer version from http://www.l0pht.com/antisniff which are labeled AntiSniff version 1.02 for the commercial instance and AntiSniff version 1-1 for the researchers instance.
@Stake AntiSniff - Researchers Version 1.0
-
@Stake Inc. Researchers Version Upgrade
http://www.l0pht.com/antisniff/dist/anti_sniff_researchv1-1.tar.gz
@Stake AntiSniff 1.0.1
-
@Stake Inc. Version 1.02 AntiSniff - Windows version
http://www.l0pht.com/antisniff/dist/as-102.zip
References
AntiSniff DNS Overflow Vulnerability
References:
References:
- L0pht Research Labs/@Stake Advisories (L0pht/@Stake Inc.)