Description:
ettercap is a comprehensive suite for man in the middle attacks.
There is an heap overflow write in etterfilter if it parses a malformed filter.
The complete ASan output:
# etterfilter $FILE etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team 14 protocol tables loaded: DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 13 constants loaded: VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP ================================================================= ==3961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000a8da at pc 0x7fb38ebea5b8 bp 0x7fff8bc36cc0 sp 0x7fff8bc36cb8 WRITE of size 1 at 0x61d00000a8da thread T0 #0 0x7fb38ebea5b7 in strescape /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_strings.c:182:23 #1 0x51342c in encode_const /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterfilter/ef_encode.c:134:27 #2 0x538e70 in yylex /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999_build/utils/etterfilter/ef_syntax.l:173:8 #3 0x53fe67 in yyparse /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999_build/utils/ef_grammar.c:1223:16 #4 0x51fadf in main /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterfilter/ef_main.c:81:8 #5 0x7fb38d81178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #6 0x41abf8 in _start (/usr/bin/etterfilter+0x41abf8) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_strings.c:182:23 in strescape Shadow bytes around the buggy address: 0x0c3a7fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3a7fff9510: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa 0x0c3a7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff9560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3961==ABORTING
Affected version:
0.8.2
Fixed version:
N/A
Commit fix:
https://github.com/Ettercap/ettercap/commit/1083d604930ebb9f350126b83802ecd2cbc17f90
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-8366
Reproducer:
https://github.com/asarubbo/poc/blob/master/00224-ettercap-heapoverflow-strescape
Timeline:
2017-03-21: bug discovered and reported to upstream
2017-04-29: blog post about the issue
2017-04-30: CVE assigned
2017-06-04: Upstream released a fix
Note:
This bug was found with American Fuzzy Lop.
Permalink:
4 Responses to ettercap: etterfilter: heap-based buffer overflow write