‘Etherleak: Ethernet Frame Padding Information Leakage’


‘Multiple platform Ethernet Network Interface Card (NIC) device drivers incorrectly handle frame padding, allowing an attacker to view slices of previously transmitted packets or portions of kernel memory. This vulnerability is the result of incorrect implementations of RFC requirements and poor programming practices, the combination of which results in several variations of this information leakage vulnerability.

The simplest attack using this vulnerability would be to send ICMP echo messages to a machine with a vulnerable Ethernet driver. Portions of kernel memory will be returned to the attacker in the padding of the reply messages. During testing we have found that the portions returned are typically snippets of network traffic that the vulnerable machine is handling. This attack can allow an attacker to see portions of the traffic that a router or firewall is handling on network segments the attacker has no direct access too. It is important to note that the attacker must be on the same Ethernet network as the vulnerable machine to receive the Ethernet frames.’


‘The original advisory can be downloaded from:
The information has been provided by Ofir Arkin and Josh Anderson of @Stake.’


‘@stake has prepared a detailed report on this issue. The vulnerability is explored in its various manifestations through code examples and packet captures.

Report available at:

Vendor Response:
Multiple platform and hardware vendors were contacted via the CERT Coordination Center on 06/25/02. Detailed vendor response information is available in CERT vulnerability note VU#412115.

Contact the vendor of your Ethernet device drivers or your hardware vendor for a patch.

End to end encryption technologies such as SSL, IPSEC, and SSH should be used when transmitting sensitive data over a network. Using encryption will help protect against this issue partly. It is not a complete solution because the kernel data leaked in the Ethernet frame padding is not always the IP packet data portion of a previous frame. Sometimes it is unencrypted IP header information or other kernel memory.’

Categories: News