Bug 8935

Summary: ettercap new security issue CVE-2013-0722
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: pterjan
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/535738/
Whiteboard: feedback
Source RPM: ettercap-0.7.4.1-4.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-02-01 19:53:27 CET 
Fedora has issued an advisory on January 16:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098014.html

It is fixed upstream in 0.7.5.2, and Fedora has a patch for it.

Mageia 2 is also affected.
David Walser 2013-02-01 19:54:06 CET

CC: (none) => pterjan
Assignee: bugsquad => pterjan
Whiteboard: (none) => MGA2TOO

David Walser 2013-02-01 21:44:07 CET

URL: (none) => http://lwn.net/Vulnerabilities/535738/

Comment 1 David Walser 2013-02-01 23:54:33 CET 
Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated ettercap package fixes security vulnerability:

Stack-based buffer overflow in the scan_load_hosts function in ec_scan.c in
Ettercap 0.7.5.1 and earlier might allow local users to gain privileges via a
Trojan horse hosts list containing a long line (CVE-2013-0722).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0722
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098014.html
========================

Updated packages in core/updates_testing:
========================
ettercap-0.7.4.1-1.2.mga2

from ettercap-0.7.4.1-1.2.mga2.src.rpm

Version: Cauldron => 2
Assignee: pterjan => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 2 claire robinson 2013-02-03 17:07:33 CET 
PoC: http://www.exploit-db.com/exploits/23945/

sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow
Comment 3 claire robinson 2013-02-03 17:15:38 CET 
Testing mga2 32

Before
------

# ruby -e'puts"a"*2000' > overflow && ettercap -T -j overflow

ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA

Listening on eth0... (Ethernet)

  eth0 ->       00:00:F0:xx:xx:xx           invalid           invalid

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...

  28 plugins
  40 protocol dissectors
  55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services

Loading hosts list from file overflow

FATAL: Bad parsing on line 1

[root@laptop ~]# [root@laptop ~]# [root@laptop ~]# [root@laptop ~]#

Shell becomes unstable.

After
-----
# ruby -e'puts"a"*2000' > overflow && ettercap -T -j overflow

ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA

Listening on eth0... (Ethernet)

  eth0 ->       00:00:F0:xx:xx:xx           invalid           invalid

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...

  28 plugins
  40 protocol dissectors
  55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services

Loading hosts list from file overflow

FATAL: Bad parsing on line 1

[root@laptop ~]# [root@laptop ~]# [root@laptop ~]# [root@laptop ~]#


Shell still becomes unstable. I can't see any difference.
Comment 4 claire robinson 2013-02-03 17:26:19 CET 
Captures ok using
# ettercap -i eth1 -T

curses interface using -C uses strange colours which are unreadable on my monitor.
claire robinson 2013-02-03 17:27:12 CET

Whiteboard: (none) => feedback

Comment 5 Pascal Terjan 2013-02-07 22:43:01 CET 
I thin Bad Parsing is fine, it means it detected the problem and was not vulnerable.

From the exploit-db link:

Affected:
 - ettercap 0.7.5.1
 - ettercap 0.7.5
 - ettercap 0.7.4 and earlier
Not affected:
 - ettercap 0.7.4.1
Comment 6 David Walser 2013-02-07 22:56:49 CET 
Thanks Pascal!  Looking at the code, that makes sense.

Status: NEW => RESOLVED
Resolution: (none) => INVALID