CVE-2016-10665
CVE-2016-10665
In short
Herbivore, a packet sniffing library, downloads files over unencrypted HTTP, allowing attackers on the network to intercept and replace those files with malicious code, potentially taking control of a computer.
Technical detail
The vulnerability exists in herbivore ≤0.0.3's use of unencrypted HTTP for binary resource downloads, enabling man-in-the-middle attackers to perform arbitrary file substitution. An attacker positioned on the network path can intercept HTTP traffic and serve malicious binaries, resulting in remote code execution when the application loads the compromised resources.
Summary generated and translated by AI from the official description.
herbivore is a packet sniffing and crafting library. Built on libtins herbivore 0.0.3 and below download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · herbivore node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →