{"id":474,"date":"2016-09-06T10:23:07","date_gmt":"2016-09-06T08:23:07","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=474"},"modified":"2016-09-09T16:12:20","modified_gmt":"2016-09-09T14:12:20","slug":"ettercap-etterlog-multiple-three-heap-based-buffer-overflow-el_profiles-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/06\/ettercap-etterlog-multiple-three-heap-based-buffer-overflow-el_profiles-c\/","title":{"rendered":"ettercap: etterlog: multiple (three) heap-based buffer overflow (el_profiles.c)"},"content":{"rendered":"

Description<\/strong>:
\nettercap<\/a> is a comprehensive suite for man in the middle attacks.<\/p>\n

Etterlog, which is part of the package, fails to read malformed data produced from the fuzzer and then it overflows.<\/p>\n

Since there are three issues, to make it short, I’m cutting a bit the ASan output.<\/p>\n

# etterlog $FILE\r\n==10077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000dac0 at pc 0x00000047b8cf bp 0x7ffdc6850580 sp 0x7ffdc684fd30                                                      \r\nREAD of size 43780 at 0x60e00000dac0 thread T0                                                                                                                                                 \r\n    #0 0x47b8ce in memcmp \/var\/tmp\/temp\/portage\/sys-devel\/llvm-3.8.0-r2\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:418            \r\n    #1 0x50e26e in profile_add_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:106:12                                                             \r\n    #2 0x4f3d3a in create_hosts_list \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_analyze.c:128:7                                                              \r\n    #3 0x4fcf0c in display_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:218:4                                                                   \r\n    #4 0x4fcf0c in display \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:52                                                                           \r\n    #5 0x507818 in main \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_main.c:94:4                                                                               \r\n    #6 0x7faa8656161f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                        \r\n    #7 0x41a408 in _start (\/usr\/bin\/etterlog+0x41a408)                                                                                                                                         \r\n\r\n0x60e00000dac0 is located 0 bytes to the right of 160-byte region [0x60e00000da20,0x60e00000dac0)                                                                                              \r\nallocated by thread T0 here:                                                                                                                                                                   \r\n    #0 0x4c1ae0 in calloc \/var\/tmp\/temp\/portage\/sys-devel\/llvm-3.8.0-r2\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:66                                              \r\n    #1 0x50e215 in profile_add_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:99:4                                                               \r\n\r\n\r\n==10144==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000efa0 at pc 0x00000047b8cf bp 0x7ffe22881090 sp 0x7ffe22880840\r\nREAD of size 256 at 0x60600000efa0 thread T0\r\n    #0 0x47b8ce in memcmp \/var\/tmp\/temp\/portage\/sys-devel\/llvm-3.8.0-r2\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:418\r\n    #1 0x50ff6f in update_user_list \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:251:12\r\n    #2 0x50e555 in profile_add_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:91:10\r\n    #3 0x4f3d3a in create_hosts_list \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_analyze.c:128:7\r\n    #4 0x4fcf0c in display_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:218:4\r\n    #5 0x4fcf0c in display \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:52\r\n    #6 0x507818 in main \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_main.c:94:4\r\n    #7 0x7f53a781461f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #8 0x41a408 in _start (\/usr\/bin\/etterlog+0x41a408)\r\n\r\n0x60600000efa0 is located 0 bytes to the right of 64-byte region [0x60600000ef60,0x60600000efa0)\r\nallocated by thread T0 here:\r\n    #0 0x4c1ae0 in calloc \/var\/tmp\/temp\/portage\/sys-devel\/llvm-3.8.0-r2\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x50ffea in update_user_list \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:256:4\r\n\r\n\r\n==10212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000de40 at pc 0x00000047b8cf bp 0x7ffe0a6b9460 sp 0x7ffe0a6b8c10\r\nREAD of size 37636 at 0x60e00000de40 thread T0\r\n    #0 0x47b8ce in memcmp \/var\/tmp\/temp\/portage\/sys-devel\/llvm-3.8.0-r2\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:418\r\n    #1 0x50e1a3 in profile_add_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:89:12\r\n    #2 0x4f3d3a in create_hosts_list \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_analyze.c:128:7\r\n    #3 0x4fcf0c in display_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:218:4\r\n    #4 0x4fcf0c in display \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:52\r\n    #5 0x507818 in main \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_main.c:94:4\r\n    #6 0x7f562119261f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #7 0x41a408 in _start (\/usr\/bin\/etterlog+0x41a408)\r\n\r\n0x60e00000de40 is located 0 bytes to the right of 160-byte region [0x60e00000dda0,0x60e00000de40)\r\nallocated by thread T0 here:\r\n    #0 0x4c1ae0 in calloc \/var\/tmp\/temp\/portage\/sys-devel\/llvm-3.8.0-r2\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x50e215 in profile_add_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_profiles.c:99:4\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n0.8.2<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nN\/a<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nN\/A<\/p>\n
Timeline:<\/strong>
\n2016-08-10: bug discovered
\n2016-08-11: bug reported to upstream
\n2016-09-06: blog post about the issue<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.
\nThe stacktrace is about a git version compiled when I reported the bug to upstream, but is reproducible with 0.8.2 too.<\/p>\n
Permalink:<\/strong><\/p>\n
ettercap: etterlog: multiple (three) heap-based buffer overflow (el_profiles.c)<\/a><\/p><\/blockquote>\n