Good one, Paul. There's been a lot of buzz about this. I wish I had reported it when I first saw it a few years ago. ;-) I have mentioned this before on this list. (You heard it here first!)
I saw an awful case where a client logged into a database using an encrypted password. The next packet that it sent needed Ethernet padding and had the unencrypted password in the pad! I thought the user told me that a database bug fix stopped this from happening, but I'm guessing now that it could have still happened. The CERT vulnerability blames Ethernet drivers, not upper layers. I just spent an hour going through my trace files trying to find the particular case, but I can't find it. But I did verify that numerous Ethernet cards don't put 0s in the pad. I saw quite a bit of readable text (including "public") in the Ethernet padding of 60 byte frames. Priscilla Paul Borghese wrote: > > From Cert.org. The complete text may be found at > http://www.kb.cert.org/vuls/id/412115 > > > The Ethernet standard (IEEE 802.3) specifies a minimum data > field size > of 46 bytes. If a higher layer protocol such as IP provides > packet data > that is smaller than 46 bytes, the device driver must fill the > remainder > of the data field with a "pad". For IP datagrams, RFC1042 > specifies that > "the data field should be padded (with octets of zero) to meet > the IEEE > 802 minimum frame size requirements." > > Researchers from @Stake have discovered that, contrary to the > recommendations of RFC1042, many Ethernet device drivers fail > to pad > frames with null bytes. Instead, these device drivers reuse > previously > transmitted frame data to pad frames smaller than 46 bytes. This > constitutes an information leakage vulnerability that may allow > remote > attackers to harvest potentially sensitive information. > Depending upon > the implementation of an affected device driver, the leaked > information > may originate from dynamic kernel memory, from static system > memory > allocated to the device driver, or from a hardware buffer > located on the > network interface card. > > > Paul Borghese > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60770&t=60698 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]