Vulners
Lucene search
Ettercap 0.8.2 Etterfilter Out-Of-Bounds Read Vulnerability
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | [ASA-201709-16] ettercap: multiple issues | 18 Sep 201700:00 | – | archlinux |
 | ettercap -- out-of-bound read vulnerability | 1 Jul 201900:00 | – | freebsd |
 | CVE-2017-6430 | 15 Mar 201715:00 | – | cve |
 | CVE-2017-6430 | 15 Mar 201715:00 | – | cvelist |
 | [SECURITY] [DSA 3874-1] ettercap security update | 9 Jun 201705:50 | – | debian |
| [SECURITY] [DSA 3874-1] ettercap security update | 9 Jun 201705:50 | – | debian |
 | CVE-2017-6430 | 15 Mar 201715:00 | – | debiancve |
 | Debian DSA-3874-1 : ettercap - security update | 12 Jun 201700:00 | – | nessus |
| Fedora 25 : ettercap (2017-06365bdcfd) | 15 Mar 201700:00 | – | nessus |
| Fedora 24 : ettercap (2017-2258cfb450) | 16 Mar 201700:00 | – | nessus |
10
Document Title:
===============
CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in Ettercap Etterfilter utility
Vendor:
=======
Ettercap (http://ettercap.github.io/ettercap/)
Product and Versions Affected:
==============================
Etterfilter 0.8.2 and possibly prior.
Vulnerability Type:
===================
Denial-of-Service
CVE Reference:
==============
CVE-2017-6430
Vulnerability Details:
======================
Etterfilter utility of Ettercap have an out-of-bounds read denial-of-service vulnerability when parsing a crafted file. This occurs in the compile_tree function of the ef_compiler.c source file when processing corrupted filters.
Valgrind Output:
================
[email protected]:~/Desktop$ valgrind etterfilter ~/Desktop/crash
==25860== Memcheck, a memory error detector
==25860== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25860== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==25860== Command: etterfilter /home/raras/Desktop/crash
==25860==
etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team
14 protocol tables loaded:
DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth
13 constants loaded:
VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP
Parsing source file '/home/raras/Desktop/crash' done.
BUG at [/home/raras/Desktop/ettercap-master/utils/etterfilter/ef_compiler.c:compile_tree:242]
tree_root == NULL
==25860== Invalid read of size 8
==25860== at 0x4E4D7B9: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x6bc2440 is 8 bytes after a block of size 24 alloc'd
==25860== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25860== by 0x4041A2: globals_alloc (in /usr/local/bin/etterfilter)
==25860== by 0x4023AF: main (in /usr/local/bin/etterfilter)
==25860==
==25860== Invalid read of size 8
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25860==
==25860==
==25860== Process terminating with default action of signal 11 (SIGSEGV)
==25860== Access not within mapped region at address 0x0
==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)
==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)
==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)
==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)
==25860== If you believe this happened as a result of a stack
==25860== overflow in your program's main thread (unlikely but
==25860== possible), you can try to increase the size of the
==25860== main thread stack using the --main-stacksize= flag.
==25860== The main thread stack size used in this run was 8388608.
==25860==
==25860== HEAP SUMMARY:
==25860== in use at exit: 29,146 bytes in 536 blocks
==25860== total heap usage: 644 allocs, 108 frees, 199,745 bytes allocated
==25860==
==25860== LEAK SUMMARY:
==25860== definitely lost: 8 bytes in 1 blocks
==25860== indirectly lost: 0 bytes in 0 blocks
==25860== possibly lost: 0 bytes in 0 blocks
==25860== still reachable: 29,138 bytes in 535 blocks
==25860== suppressed: 0 bytes in 0 blocks
==25860== Rerun with --leak-check=full to see details of leaked memory
==25860==
==25860== For counts of detected and suppressed errors, rerun with: -v
==25860== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault
Patch:
======
utils/etterfilter/ef_compiler.c
@@ -239,7 +239,9 @@ size_t compile_tree(struct filter_op **fop)
struct filter_op *array = NULL;
struct unfold_elm *ue;
- BUG_IF(tree_root == NULL);
+ // invalid file
+ if (tree_root == NULL)
+ return 0;
fprintf(stdout, " Unfolding the meta-tree ");
fflush(stdout);
References and Fix:
===================
https://github.com/Ettercap/ettercap/issues/782
https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506
Vulnerability Disclosure Timeline:
==================================
2017-02-07: Bug Report Submission & Coordination
2017-03-05: Public Disclosure
Credit:
=======
AromalUllas
# 0day.today [2018-04-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2017 00:00Current
6.1Medium risk
Vulners AI Score6.1
EPSS0.0023