SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER CHAT IRC Ettercap parse overflow attempt
This event is generated when an attempt is made to exploit a known root exploit for Ettercap Network Sniffer (Version <= 0.6.2) Impact: Remote attacker is able to gain root shell on host running ettercap. Details: A buffer overflow in the parsing of IRC traffic for 'nick' passwords enables a remote attacker to execute code of their choice as root on the compromised host. This is as a result of an unchecked string copy of the captured password in the packet into the buffer used to store all retrieved passwords. The same or very similar overlows exist for other string matches within this section of code in this and previous versions of ettercap. The exploit released by GOBBLES listens on port 0x8000 and provides a shell for the attacker. Since ettercap is generaly run as root in order to have access to a promiscuous network interface, the shell will have uid=0 (root). Ease of Attack: Simple - exploit code pubished by 'GOBBLES' on vuln-dev - original posting can be seen here : http://online.securityfocus.com/archive/82/245128
No information provided
No public information
Known false positives, with the described conditions
Unlikely as an 'IDENTIFY' message should not be more than 200 bytes in normal usage.
Snort documentation contributed by Mark Vevers Initial Research Snort documentation contributed by Josh Gray Edits Cisco Talos Brian Caswell Nigel Houghton
No rule groups
None
No information provided
None