Fedora has issued an advisory on January 16: http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098014.html It is fixed upstream in 0.7.5.2, and Fedora has a patch for it. Mageia 2 is also affected.
CC: (none) => pterjanAssignee: bugsquad => pterjanWhiteboard: (none) => MGA2TOO
URL: (none) => http://lwn.net/Vulnerabilities/535738/
Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated ettercap package fixes security vulnerability: Stack-based buffer overflow in the scan_load_hosts function in ec_scan.c in Ettercap 0.7.5.1 and earlier might allow local users to gain privileges via a Trojan horse hosts list containing a long line (CVE-2013-0722). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0722 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098014.html ======================== Updated packages in core/updates_testing: ======================== ettercap-0.7.4.1-1.2.mga2 from ettercap-0.7.4.1-1.2.mga2.src.rpm
Version: Cauldron => 2Assignee: pterjan => qa-bugsWhiteboard: MGA2TOO => (none)
PoC: http://www.exploit-db.com/exploits/23945/ sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow
Testing mga2 32 Before ------ # ruby -e'puts"a"*2000' > overflow && ettercap -T -j overflow ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA Listening on eth0... (Ethernet) eth0 -> 00:00:F0:xx:xx:xx invalid invalid SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534... 28 plugins 40 protocol dissectors 55 ports monitored 7587 mac vendor fingerprint 1766 tcp OS fingerprint 2183 known services Loading hosts list from file overflow FATAL: Bad parsing on line 1 [root@laptop ~]# [root@laptop ~]# [root@laptop ~]# [root@laptop ~]# Shell becomes unstable. After ----- # ruby -e'puts"a"*2000' > overflow && ettercap -T -j overflow ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA Listening on eth0... (Ethernet) eth0 -> 00:00:F0:xx:xx:xx invalid invalid SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534... 28 plugins 40 protocol dissectors 55 ports monitored 7587 mac vendor fingerprint 1766 tcp OS fingerprint 2183 known services Loading hosts list from file overflow FATAL: Bad parsing on line 1 [root@laptop ~]# [root@laptop ~]# [root@laptop ~]# [root@laptop ~]# Shell still becomes unstable. I can't see any difference.
Captures ok using # ettercap -i eth1 -T curses interface using -C uses strange colours which are unreadable on my monitor.
Whiteboard: (none) => feedback
I thin Bad Parsing is fine, it means it detected the problem and was not vulnerable. From the exploit-db link: Affected: - ettercap 0.7.5.1 - ettercap 0.7.5 - ettercap 0.7.4 and earlier Not affected: - ettercap 0.7.4.1
Thanks Pascal! Looking at the code, that makes sense.
Status: NEW => RESOLVEDResolution: (none) => INVALID