Description:
ettercap is a comprehensive suite for man in the middle attacks.
Etterlog, which is part of the package, fails to read malformed data produced from the fuzzer and makes visible a NULL pointer access.
The complete ASan output:
# etterlog $FILE Log file version : 0.8.2 Timestamp : Thu Jul 16 15:28:54 2015 [688192] Type : LOG_INFO 1766 tcp OS fingerprint 20530 mac vendor fingerprint 2182 known services ASAN:DEADLYSIGNAL ================================================================= ==9987==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4671a428b2 bp 0x7ffd1cdbf5b0 sp 0x7ffd1cdbf540 T0) #0 0x7f4671a428b1 in fingerprint_search /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_fingerprint.c:189:17 #1 0x7f4671a6ee4e in print_host /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_passive.c:120:8 #2 0x4fe769 in display_info /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_display.c:277:10 #3 0x4fe769 in display /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_display.c:52 #4 0x507818 in main /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_main.c:94:4 #5 0x7f46706e561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x41a408 in _start (/usr/bin/etterlog+0x41a408) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_fingerprint.c:189:17 in fingerprint_search ==9987==ABORTING etterlog 0.8.2 copyright 2001-2015 Ettercap Development Team ================================================== IP address : 192.168.0.31 MAC address : 34:17:EB:9B:21:AD MANUFACTURER : Dell Inc DISTANCE : 0 TYPE : LAN host FINGERPRINT : �
Affected version:
0.8.2
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Timeline:
2016-08-10: bug discovered
2016-08-11: bug reported to upstream
2016-09-09: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
The stacktrace is about a git version compiled when I reported the bug to upstream, but is reproducible with 0.8.2 too.
Permalink:
ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)