lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMZSfUicGKMbsA5MN-5KDn3AwK9imFdaHvdwt8XRCwXN_idSow@mail.gmail.com>
Date: Mon, 6 Mar 2017 18:29:51 +0530
From: Aromal Raj <ddos2me@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in
 Ettercap Etterfilter utility

Document Title:
===============
CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in Ettercap
Etterfilter utility

Vendor:
=======
Ettercap (http://ettercap.github.io/ettercap/)

Product and Versions Affected:
==============================
Etterfilter 0.8.2 and possibly prior.

Vulnerability Type:
===================
Denial-of-Service

CVE Reference:
==============
CVE-2017-6430

Vulnerability Details:
======================
Etterfilter utility of Ettercap have an out-of-bounds read
denial-of-service vulnerability when parsing a crafted file. This occurs in
the compile_tree function of the ef_compiler.c source file when processing
corrupted filters.

Valgrind Output:
================
raras@...ntu:~/Desktop$ valgrind etterfilter ~/Desktop/crash
==25860== Memcheck, a memory error detector
==25860== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25860== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==25860== Command: etterfilter /home/raras/Desktop/crash
==25860==
etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team
14 protocol tables loaded:
DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth
13 constants loaded:
VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP
Parsing source file '/home/raras/Desktop/crash' done.
BUG at
[/home/raras/Desktop/ettercap-master/utils/etterfilter/ef_compiler.c:compile_tree:242]
tree_root == NULL
==25860== Invalid read of size 8
==25860== at 0x4E4D7B9: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x6bc2440 is 8 bytes after a block of size 24 alloc'd
==25860== at 0x4C2CC70: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25860== by 0x4041A2: globals_alloc (in /usr/local/bin/etterfilter)
==25860== by 0x4023AF: main (in /usr/local/bin/etterfilter)
==25860==
==25860== Invalid read of size 8
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25860==
==25860==
==25860== Process terminating with default action of signal 11 (SIGSEGV)
==25860== Access not within mapped region at address 0x0
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== If you believe this happened as a result of a stack
==25860== overflow in your program's main thread (unlikely but
==25860== possible), you can try to increase the size of the
==25860== main thread stack using the --main-stacksize= flag.
==25860== The main thread stack size used in this run was 8388608.
==25860==
==25860== HEAP SUMMARY:
==25860== in use at exit: 29,146 bytes in 536 blocks
==25860== total heap usage: 644 allocs, 108 frees, 199,745 bytes allocated
==25860==
==25860== LEAK SUMMARY:
==25860== definitely lost: 8 bytes in 1 blocks
==25860== indirectly lost: 0 bytes in 0 blocks
==25860== possibly lost: 0 bytes in 0 blocks
==25860== still reachable: 29,138 bytes in 535 blocks
==25860== suppressed: 0 bytes in 0 blocks
==25860== Rerun with --leak-check=full to see details of leaked memory
==25860==
==25860== For counts of detected and suppressed errors, rerun with: -v
==25860== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault

Patch:
======
 utils/etterfilter/ef_compiler.c
 @@ -239,7 +239,9 @@ size_t compile_tree(struct filter_op **fop)
     struct filter_op *array = NULL;
     struct unfold_elm *ue;

 -   BUG_IF(tree_root == NULL);
 +   // invalid file
 +   if (tree_root == NULL)
 +      return 0;

     fprintf(stdout, " Unfolding the meta-tree ");
     fflush(stdout);


References and Fix:
===================
https://github.com/Ettercap/ettercap/issues/782
https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506


Vulnerability Disclosure Timeline:
==================================
2017-02-07: Bug Report Submission & Coordination
2017-03-05: Public Disclosure

Credit:
=======
AromalUllas

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ