{"id":1700,"date":"2017-04-29T16:19:15","date_gmt":"2017-04-29T14:19:15","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1700"},"modified":"2017-06-28T14:24:19","modified_gmt":"2017-06-28T12:24:19","slug":"ettercap-etterfilter-heap-based-buffer-overflow-write","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/04\/29\/ettercap-etterfilter-heap-based-buffer-overflow-write\/","title":{"rendered":"ettercap: etterfilter: heap-based buffer overflow write"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/ettercap.github.io\/ettercap\/\">ettercap<\/a> is a comprehensive suite for man in the middle attacks.<\/p>\n<p>There is an heap overflow write in etterfilter if it parses a malformed filter.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># etterfilter $FILE\r\netterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team                                                                                                                                                   \r\n                                                                                                                                                                                                                  \r\n                                                                                                                                                                                                                  \r\n 14 protocol tables loaded:                                                                                                                                                                                       \r\n        DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth                                                                                                                                            \r\n\r\n 13 constants loaded:\r\n        VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP \r\n\r\n=================================================================\r\n==3961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000a8da at pc 0x7fb38ebea5b8 bp 0x7fff8bc36cc0 sp 0x7fff8bc36cb8\r\nWRITE of size 1 at 0x61d00000a8da thread T0\r\n    #0 0x7fb38ebea5b7 in strescape \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/src\/ec_strings.c:182:23\r\n    #1 0x51342c in encode_const \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterfilter\/ef_encode.c:134:27\r\n    #2 0x538e70 in yylex \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999_build\/utils\/etterfilter\/ef_syntax.l:173:8\r\n    #3 0x53fe67 in yyparse \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999_build\/utils\/ef_grammar.c:1223:16\r\n    #4 0x51fadf in main \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterfilter\/ef_main.c:81:8\r\n    #5 0x7fb38d81178f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x41abf8 in _start (\/usr\/bin\/etterfilter+0x41abf8)\r\n\r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/src\/ec_strings.c:182:23 in strescape\r\nShadow bytes around the buggy address:\r\n  0x0c3a7fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=&gt;0x0c3a7fff9510: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa\r\n  0x0c3a7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c3a7fff9550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c3a7fff9560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==3961==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.8.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/Ettercap\/ettercap\/commit\/1083d604930ebb9f350126b83802ecd2cbc17f90\">https:\/\/github.com\/Ettercap\/ettercap\/commit\/1083d604930ebb9f350126b83802ecd2cbc17f90<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-8366<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00224-ettercap-heapoverflow-strescape\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00224-ettercap-heapoverflow-strescape<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-03-21: bug discovered and reported to upstream<br \/>\n2017-04-29: blog post about the issue<br \/>\n2017-04-30: CVE assigned<br \/>\n2017-06-04: Upstream released a fix<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"gbUtHY8nFX\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/04\/29\/ettercap-etterfilter-heap-based-buffer-overflow-write\/\">ettercap: etterfilter: heap-based buffer overflow write<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/04\/29\/ettercap-etterfilter-heap-based-buffer-overflow-write\/embed\/#?secret=gbUtHY8nFX\" data-secret=\"gbUtHY8nFX\" width=\"600\" height=\"338\" title=\"&#8220;ettercap: etterfilter: heap-based buffer overflow write&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: ettercap is a comprehensive suite for man in the middle attacks. There is an heap overflow write in etterfilter if it parses a malformed filter. The complete ASan output: # etterfilter $FILE etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/04\/29\/ettercap-etterfilter-heap-based-buffer-overflow-write\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-rq","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1700"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1700"}],"version-history":[{"count":4,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1700\/revisions"}],"predecessor-version":[{"id":1925,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1700\/revisions\/1925"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}