{"id":482,"date":"2016-09-09T16:12:20","date_gmt":"2016-09-09T14:12:20","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=482"},"modified":"2016-09-09T16:12:20","modified_gmt":"2016-09-09T14:12:20","slug":"ettercap-etterlog-null-pointer-dereference-in-fingerprint_search-ec_fingerprint-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/09\/ettercap-etterlog-null-pointer-dereference-in-fingerprint_search-ec_fingerprint-c\/","title":{"rendered":"ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/ettercap.github.io\/ettercap\/\">ettercap<\/a> is a comprehensive suite for man in the middle attacks.<\/p>\n<p>Etterlog, which is part of the package, fails to read malformed data produced from the fuzzer and makes visible a NULL pointer access.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># etterlog $FILE\r\nLog file version    : 0.8.2                                                                                                                                                                    \r\nTimestamp           : Thu Jul 16 15:28:54 2015 [688192]                                                                                                                                        \r\nType                : LOG_INFO                                                                                                                                                                 \r\n\r\n1766 tcp OS fingerprint                                                                                                                                                                        \r\n\r\n20530 mac vendor fingerprint                                                                                                                                                                   \r\n\r\n2182 known services                                                                                                                                                                            \r\n\r\nASAN:DEADLYSIGNAL                                                                                                                                                                              \r\n=================================================================                                                                                                                              \r\n==9987==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4671a428b2 bp 0x7ffd1cdbf5b0 sp 0x7ffd1cdbf540 T0)                                                             \r\n    #0 0x7f4671a428b1 in fingerprint_search \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/src\/ec_fingerprint.c:189:17                                                             \r\n    #1 0x7f4671a6ee4e in print_host \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/src\/ec_passive.c:120:8                                                                          \r\n    #2 0x4fe769 in display_info \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:277:10                                                                  \r\n    #3 0x4fe769 in display \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_display.c:52                                                                           \r\n    #4 0x507818 in main \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/utils\/etterlog\/el_main.c:94:4                                                                               \r\n    #5 0x7f46706e561f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                        \r\n    #6 0x41a408 in _start (\/usr\/bin\/etterlog+0x41a408)                                                                                                                                         \r\n\r\nAddressSanitizer can not provide additional info.                                                                                                                                              \r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/net-analyzer\/ettercap-9999\/work\/ettercap-9999\/src\/ec_fingerprint.c:189:17 in fingerprint_search                                                   \r\n==9987==ABORTING                                                                                                                                                                               \r\n\r\netterlog 0.8.2 copyright 2001-2015 Ettercap Development Team                                                                                                                                   \r\n\r\n\r\n\r\n==================================================\r\n IP address   : 192.168.0.31 \r\n\r\n MAC address  : 34:17:EB:9B:21:AD \r\n MANUFACTURER : Dell Inc \r\n\r\n DISTANCE     : 0   \r\n TYPE         : LAN host\r\n\r\n FINGERPRINT      : \ufffd\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.8.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-08-10: bug discovered<br \/>\n2016-08-11: bug reported to upstream<br \/>\n2016-09-09: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThe stacktrace is about a git version compiled when I reported the bug to upstream, but is reproducible with 0.8.2 too.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"9UyzQXCQKa\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/09\/ettercap-etterlog-null-pointer-dereference-in-fingerprint_search-ec_fingerprint-c\/\">ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/09\/ettercap-etterlog-null-pointer-dereference-in-fingerprint_search-ec_fingerprint-c\/embed\/#?secret=9UyzQXCQKa\" data-secret=\"9UyzQXCQKa\" width=\"600\" height=\"338\" title=\"&#8220;ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: ettercap is a comprehensive suite for man in the middle attacks. Etterlog, which is part of the package, fails to read malformed data produced from the fuzzer and makes visible a NULL pointer access. The complete ASan output: # &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/09\/ettercap-etterlog-null-pointer-dereference-in-fingerprint_search-ec_fingerprint-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-7M","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/482"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=482"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/482\/revisions"}],"predecessor-version":[{"id":494,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/482\/revisions\/494"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}