ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)

Posted on September 9, 2016 by ago

Description:
ettercap is a comprehensive suite for man in the middle attacks.

Etterlog, which is part of the package, fails to read malformed data produced from the fuzzer and makes visible a NULL pointer access.

The complete ASan output:

# etterlog $FILE
Log file version    : 0.8.2                                                                                                                                                                    
Timestamp           : Thu Jul 16 15:28:54 2015 [688192]                                                                                                                                        
Type                : LOG_INFO                                                                                                                                                                 

1766 tcp OS fingerprint                                                                                                                                                                        

20530 mac vendor fingerprint                                                                                                                                                                   

2182 known services                                                                                                                                                                            

ASAN:DEADLYSIGNAL                                                                                                                                                                              
=================================================================                                                                                                                              
==9987==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4671a428b2 bp 0x7ffd1cdbf5b0 sp 0x7ffd1cdbf540 T0)                                                             
    #0 0x7f4671a428b1 in fingerprint_search /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_fingerprint.c:189:17                                                             
    #1 0x7f4671a6ee4e in print_host /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_passive.c:120:8                                                                          
    #2 0x4fe769 in display_info /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_display.c:277:10                                                                  
    #3 0x4fe769 in display /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_display.c:52                                                                           
    #4 0x507818 in main /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_main.c:94:4                                                                               
    #5 0x7f46706e561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #6 0x41a408 in _start (/usr/bin/etterlog+0x41a408)                                                                                                                                         

AddressSanitizer can not provide additional info.                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_fingerprint.c:189:17 in fingerprint_search                                                   
==9987==ABORTING                                                                                                                                                                               

etterlog 0.8.2 copyright 2001-2015 Ettercap Development Team                                                                                                                                   



==================================================
 IP address   : 192.168.0.31 

 MAC address  : 34:17:EB:9B:21:AD 
 MANUFACTURER : Dell Inc 

 DISTANCE     : 0   
 TYPE         : LAN host

 FINGERPRINT      : �

Affected version:
0.8.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-10: bug discovered
2016-08-11: bug reported to upstream
2016-09-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
The stacktrace is about a git version compiled when I reported the bug to upstream, but is reproducible with 0.8.2 too.

Permalink:

ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.