Rule:  --Sid:1382--Summary:This event is generated when an attempt is made to exploit a known rootexploit for Ettercap Network Sniffer (Version <= 0.6.2)--Impact:Remote attacker is able to gain root shell on host running ettercap.--Detailed Information:A buffer overflow in the parsing of IRC traffic for 'nick' passwords enables a remote attacker to execute code of their choice as root on the compromised host.  This is as a result of an unchecked string copy of the captured password in the packet into the buffer used to store all retrieved passwords.  The same or very similar overlows exist for other string matches within this section of code in this and previous versions of ettercap. The exploit released by GOBBLES listens on port 0x8000 and provides ashell for the attacker.  Since ettercap is generaly run as root in orderto have access to a promiscuous network interface, the shell will haveuid=0 (root).--Attack Scenarios:Ettercap is likely to be deployed in 'sensitive' parts of the networkwhere a network administrator is analysing passing traffic.  Acompromise of a host in such a position will not only reveal anypasswords already captured by ettercap to the attacker, but gives theattacker ample opportunity to analyse passing network traffic forfurther useful information.  The host will quite likely be used as a base forother attacks.  Ettercap may also be installed on a compromised host forthe purpose of monitoring or modifying traffic on the hosts network.--Ease of Attack:Simple - exploit code pubished by 'GOBBLES' onvuln-dev - original posting can be seen here : http://online.securityfocus.com/archive/82/245128--False Positives:Unlikely as an 'IDENTIFY' message should not be more than 200 bytes in normal usage.--False Negatives:Although the rule is good match for the posted exploit - there areseveral other strings which would match in the vulnerable section ofcode.  A better match might be obtained by specifying 'IDENTIFY ' withthe datagram size (dsize) greater than 200, although this may introduce more false positives. --Corrective Action:Upgrade to ettercap 0.6.3 or greater--Contributors: Snort documentation contributed by Mark Vevers	Initial ResearchSnort documentation contributed by Josh Gray	EditsSourcefire Vulnerability Research TeamBrian Caswell <bmc@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>-- Additional References:Attrition:http://www.attrition.org/security/advisory/gobbles/GOBBLES-12.txtSecurity Focus archive:http://online.securityfocus.com/archive/82/245128-- --