ettercap: etterfilter: heap-based buffer overflow write

Description:
ettercap is a comprehensive suite for man in the middle attacks.

There is an heap overflow write in etterfilter if it parses a malformed filter.

The complete ASan output:

# etterfilter $FILE
etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 14 protocol tables loaded:                                                                                                                                                                                       
        DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth                                                                                                                                            

 13 constants loaded:
        VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP 

=================================================================
==3961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000a8da at pc 0x7fb38ebea5b8 bp 0x7fff8bc36cc0 sp 0x7fff8bc36cb8
WRITE of size 1 at 0x61d00000a8da thread T0
    #0 0x7fb38ebea5b7 in strescape /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_strings.c:182:23
    #1 0x51342c in encode_const /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterfilter/ef_encode.c:134:27
    #2 0x538e70 in yylex /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999_build/utils/etterfilter/ef_syntax.l:173:8
    #3 0x53fe67 in yyparse /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999_build/utils/ef_grammar.c:1223:16
    #4 0x51fadf in main /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterfilter/ef_main.c:81:8
    #5 0x7fb38d81178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41abf8 in _start (/usr/bin/etterfilter+0x41abf8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_strings.c:182:23 in strescape
Shadow bytes around the buggy address:
  0x0c3a7fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a7fff9510: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c3a7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff9560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3961==ABORTING

Affected version:
0.8.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8366

Reproducer:
https://github.com/asarubbo/poc/blob/master/00224-ettercap-heapoverflow-strescape

Timeline:
2017-03-21: bug discovered and reported to upstream
2017-04-29: blog post about the issue
2017-04-30: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

ettercap: etterfilter: heap-based buffer overflow write

This entry was posted in advisories, security. Bookmark the permalink.

3 Responses to ettercap: etterfilter: heap-based buffer overflow write

  1. Alexander Koeppe (koeppea) says:

    Hi,

    can you please help to reproduce?
    I’ve tried on my machine but wasn’t able.
    See my comments on you reported issue on Github: https://github.com/Ettercap/ettercap/issues/792.

    Reply
      • Alexander Koeppe (koeppea) says:

        Could you describe the steps or the environment or tools to reproduce the issue. Can you also confirm the integrity of your reproducer file is correct: SHA256 hash on my machine: 4143050e86d4497fb02e4570e0e06e2b501b197a3e54f0eb70b7453a2834fa29.
        Thanks.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *