oss-sec mailing list archives
ettercap: etterfilter: heap-based buffer overflow write
From: "Agostino Sarubbo" <ago () gentoo org>
Date: Mon, 1 May 2017 11:30:37 +0000
Description: ettercap is a comprehensive suite for man in the middle attacks. There is an heap overflow write in etterfilter if it parses a malformed filter. The complete ASan output: # etterfilter $FILE etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team 14 protocol tables loaded: DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 13 constants loaded: VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP ================================================================= ==3961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000a8da at pc 0x7fb38ebea5b8 bp 0x7fff8bc36cc0 sp 0x7fff8bc36cb8 WRITE of size 1 at 0x61d00000a8da thread T0 #0 0x7fb38ebea5b7 in strescape /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_strings.c:182:23 #1 0x51342c in encode_const /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterfilter/ef_encode.c:134:27 #2 0x538e70 in yylex /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999_build/utils/etterfilter/ef_syntax.l:173:8 #3 0x53fe67 in yyparse /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999_build/utils/ef_grammar.c:1223:16 #4 0x51fadf in main /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterfilter/ef_main.c:81:8 #5 0x7fb38d81178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #6 0x41abf8 in _start (/usr/bin/etterfilter+0x41abf8) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_strings.c:182:23 in strescape Shadow bytes around the buggy address: 0x0c3a7fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3a7fff9510: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa 0x0c3a7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff9560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3961==ABORTING Affected version: 0.8.2 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: CVE-2017-8366 Reproducer: https://github.com/asarubbo/poc/blob/master/00224-ettercap-heapoverflow-strescape Timeline: 2017-03-21: bug discovered and reported to upstream 2017-04-29: blog post about the issue 2017-04-30: CVE assigned Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/04/29/ettercap-etterfilter-heap-based-buffer-overflow-write/ -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- ettercap: etterfilter: heap-based buffer overflow write Agostino Sarubbo (May 01)