Re:Potential hole in Ettercap 0.6.2

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Tue, 4 Dec 2001, ALoR wrote:

> <full disclosure>
> the problem was a forgotten "printf(buffer)" in the Interface_WExit(char
> *buffer) function.
> so to fix it simply replace the line 1252 of ec_interface.c with
> printf("%s", buffer);
> </full disclosure>

among other problems. analysis of the gobbles exploit [1] shows its abuse
of the update process that gets done. in src/ec_main.c:


    441 void Main_Check_NewRelease(void)
        [snip]
    532          if (answer == 'y' || answer == 'Y')
    533          {
    534             char wget[100];
    535             sprintf(wget, "wget
http://%s/download/ettercap-%s.tar.gz";, host, latest);
    536             system(wget);
    537          }


so i set my path to be .:$PATH and make my own wget, and what gets
executed is ./wget. an example one i got to work is:

        #!/bin/sh
        id

it honors the permissions of the caller ... this is just executing
ettercap -v, the update path ...

yeah. there are some format string problems. and there are probably a
bunch of other problems. the one gobbles was seeing was likely caused by
the error function 'void Error_msg(char *message, ...)' which doesn't do
any formatting.

you have many issues to fix in the code, it appears. i would disblae the
suid option. yeah, its moronic to install it suid root. however even
marginaly respecting it (and dropping your priv checks) is a bad idea
until you can more agressively audit the code, a time consuming process,
yes. it's a nice tool, i hope you can fix the problems in it.

notes

[1] if you dont know where to get gobbles goods by now ... pay more
attention.


____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)