Ethereal-users: Re: [Ethereal-users] Ethereal Security Issues

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 13 Jan 2005 13:36:28 -0500

Hi,

HM Wamboldt wrote:


It's my understanding that the current design of Ethereal is such that
malicious packets embedded in a protocol that is being monitored can
possibly, or even likely lead to the execution of arbitrary code as
root. This could potentially give control of the machine to a remote
attacker.

It's also my understanding that with the current design it isn't even
possible to give any assurance that the program is in any way secure.

A further issue is that some of the protocol analysis code
(dissectors) are from 3rd parties and have not been audited for
security and might facilitate such an attack.

Perhaps an Ethereal developer or someone more knowledgeable in
Ethereal's internals would care to comment?

I would like to know if the Ethereal development team has a strategy
to improve security.
There's been a decent amount of discussion about this in the past (primarily on the development mailing list). 

For a summary of the discussion, see the Wiki entry on Privilege Separation:

http://wiki.ethereal.com/Development_2fPrivilegeSeparation

Regards,
-Jeff