Bugtraq: CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in Ettercap Etterfilter utility

Document Title:

===============

CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in Ettercap Etterfilter utility

Vendor:

=======

Ettercap (http://ettercap.github.io/ettercap/)

Product and Versions Affected:

==============================

Etterfilter 0.8.2 and possibly prior.

Vulnerability Type:

===================

Denial-of-Service

CVE Reference:

==============

CVE-2017-6430

Vulnerability Details:

======================

Etterfilter utility of Ettercap have an out-of-bounds read denial-of-service vulnerability when parsing a crafted file. This occurs in the compile_tree function of the ef_compiler.c source file when processing corrupted filters.

Valgrind Output:

================

raras@ubuntu:~/Desktop$ valgrind etterfilter ~/Desktop/crash

==25860== Memcheck, a memory error detector

==25860== Copyright (C) 2002-2013, and GNU GPL’d, by Julian Seward et al.

==25860== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info

==25860== Command: etterfilter /home/raras/Desktop/crash

==25860==

etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team

14 protocol tables loaded:

DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth

13 constants loaded:

VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP

Parsing source file ‘/home/raras/Desktop/crash’ done.

BUG at [/home/raras/Desktop/ettercap-master/utils/etterfilter/ef_compiler.c:com

pile_tree:242]

tree_root == NULL

==25860== Invalid read of size 8

==25860== at 0x4E4D7B9: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)

==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)

==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)

==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)

==25860== Address 0x6bc2440 is 8 bytes after a block of size 24 alloc’d

==25860== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)

==25860== by 0x4041A2: globals_alloc (in /usr/local/bin/etterfilter)

==25860== by 0x4023AF: main (in /usr/local/bin/etterfilter)

==25860==

==25860== Invalid read of size 8

==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)

==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)

==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)

==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)

==25860== Address 0x0 is not stack’d, malloc’d or (recently) free’d

==25860==

==25860==

==25860== Process terminating with default action of signal 11 (SIGSEGV)

==25860== Access not within mapped region at address 0x0

==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0)

==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter)

==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter)

==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter)

==25860== If you believe this happened as a result of a stack

==25860== overflow in your program’s main thread (unlikely but

==25860== possible), you can try to increase the size of the

==25860== main thread stack using the –main-stacksize= flag.

==25860== The main thread stack size used in this run was 8388608.

==25860==

==25860== HEAP SUMMARY:

==25860== in use at exit: 29,146 bytes in 536 blocks

==25860== total heap usage: 644 allocs, 108 frees, 199,745 bytes allocated

==25860==

==25860== LEAK SUMMARY:

==25860== definitely lost: 8 bytes in 1 blocks

==25860== indirectly lost: 0 bytes in 0 blocks

==25860== possibly lost: 0 bytes in 0 blocks

==25860== still reachable: 29,138 bytes in 535 blocks

==25860== suppressed: 0 bytes in 0 blocks

==25860== Rerun with –leak-check=full to see details of leaked memory

==25860==

==25860== For counts of detected and suppressed errors, rerun with: -v

==25860== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Segmentation fault

Patch:

======

utils/etterfilter/ef_compiler.c

@@ -239,7 +239,9 @@ size_t compile_tree(struct filter_op **fop)

struct filter_op *array = NULL;

struct unfold_elm *ue;

– BUG_IF(tree_root == NULL);

+ // invalid file

+ if (tree_root == NULL)

+ return 0;

fprintf(stdout, ” Unfolding the meta-tree “);

fflush(stdout);

References and Fix:

===================

https://github.com/Ettercap/ettercap/issues/782

https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48

f78c2a666cb6d8506

Vulnerability Disclosure Timeline:

==================================

2017-02-07: Bug Report Submission & Coordination

2017-03-05: Public Disclosure

Credit:

=======

AromalUllas

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 6, 2017 at 07:35AM

0
Share