Insecure temporary file and stack buffer overflow

Bug #656347 reported by Dan Rosenberg on 2010-10-07
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ettercap (Debian)
Fix Released
ettercap (Ubuntu)

Bug Description

Binary package hint: ettercap

The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file. When parsing this file for settings in gtkui_conf_read() (src/interfaces/gtk/ec_gtk_conf.c), an unchecked sscanf() call allows a maliciously placed settings file to overflow a statically-sized buffer on the stack. Stack-smashing protection catches it, but it still should be fixed.

Verify with:
$ perl -e 'print "A"x500' > /tmp/.ettercap_gtk && ettercap -G

Firstly, the settings file should not be globally accessible without checking ownership, which still gets hairy because an attacker could create a symlink or hard link to a victim-controlled file (unless you're using YAMA :p). The best thing would probably be to keep this file in the user's home directory instead.

Secondly, parsing configuration files should be robust against malformed input and not susceptible to trivial buffer overflows.

Kees Cook (kees) on 2010-10-07
visibility: private → public
Changed in ettercap (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in ettercap (Debian):
status: Unknown → New
Changed in ettercap (Debian):
status: New → Fix Released

Fix Released in oneiric

Changed in ettercap (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.