Document Title: =============== CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in Ettercap Etterfilter utility Vendor: ======= Ettercap (http://ettercap.github.io/ettercap/) Product and Versions Affected: ============================== Etterfilter 0.8.2 and possibly prior. Vulnerability Type: =================== Denial-of-Service CVE Reference: ============== CVE-2017-6430 Vulnerability Details: ====================== Etterfilter utility of Ettercap have an out-of-bounds read denial-of-service vulnerability when parsing a crafted file. This occurs in the compile_tree function of the ef_compiler.c source file when processing corrupted filters. Valgrind Output: ================ raras@ubuntu:~/Desktop$ valgrind etterfilter ~/Desktop/crash ==25860== Memcheck, a memory error detector ==25860== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==25860== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==25860== Command: etterfilter /home/raras/Desktop/crash ==25860== etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team 14 protocol tables loaded: DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 13 constants loaded: VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP Parsing source file '/home/raras/Desktop/crash' done. BUG at [/home/raras/Desktop/ettercap-master/utils/etterfilter/ef_compiler.c:compile_tree:242] tree_root == NULL ==25860== Invalid read of size 8 ==25860== at 0x4E4D7B9: clean_exit (in /usr/local/lib/libettercap.so.0.0.0) ==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter) ==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter) ==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter) ==25860== Address 0x6bc2440 is 8 bytes after a block of size 24 alloc'd ==25860== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==25860== by 0x4041A2: globals_alloc (in /usr/local/bin/etterfilter) ==25860== by 0x4023AF: main (in /usr/local/bin/etterfilter) ==25860== ==25860== Invalid read of size 8 ==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0) ==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter) ==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter) ==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter) ==25860== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==25860== ==25860== ==25860== Process terminating with default action of signal 11 (SIGSEGV) ==25860== Access not within mapped region at address 0x0 ==25860== at 0x4E4D7BD: clean_exit (in /usr/local/lib/libettercap.so.0.0.0) ==25860== by 0x4030B0: compile_tree (in /usr/local/bin/etterfilter) ==25860== by 0x4042D3: write_output (in /usr/local/bin/etterfilter) ==25860== by 0x4024BD: main (in /usr/local/bin/etterfilter) ==25860== If you believe this happened as a result of a stack ==25860== overflow in your program's main thread (unlikely but ==25860== possible), you can try to increase the size of the ==25860== main thread stack using the --main-stacksize= flag. ==25860== The main thread stack size used in this run was 8388608. ==25860== ==25860== HEAP SUMMARY: ==25860== in use at exit: 29,146 bytes in 536 blocks ==25860== total heap usage: 644 allocs, 108 frees, 199,745 bytes allocated ==25860== ==25860== LEAK SUMMARY: ==25860== definitely lost: 8 bytes in 1 blocks ==25860== indirectly lost: 0 bytes in 0 blocks ==25860== possibly lost: 0 bytes in 0 blocks ==25860== still reachable: 29,138 bytes in 535 blocks ==25860== suppressed: 0 bytes in 0 blocks ==25860== Rerun with --leak-check=full to see details of leaked memory ==25860== ==25860== For counts of detected and suppressed errors, rerun with: -v ==25860== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Segmentation fault Patch: ====== utils/etterfilter/ef_compiler.c @@ -239,7 +239,9 @@ size_t compile_tree(struct filter_op **fop) struct filter_op *array = NULL; struct unfold_elm *ue; - BUG_IF(tree_root == NULL); + // invalid file + if (tree_root == NULL) + return 0; fprintf(stdout, " Unfolding the meta-tree "); fflush(stdout); References and Fix: =================== https://github.com/Ettercap/ettercap/issues/782 https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506 Vulnerability Disclosure Timeline: ================================== 2017-02-07: Bug Report Submission & Coordination 2017-03-05: Public Disclosure Credit: ======= AromalUllas # Iranian Exploit DataBase = http://IeDb.Ir [2017-03-07]