Submit #764648: Ettercap ettercap Ettercap v0.8.4-Garofalo and master-branch Heap-based Buffer Overflowinfo

Titel	Ettercap ettercap Ettercap v0.8.4-Garofalo and master-branch Heap-based Buffer Overflow
Beschreibung	### Description We discovered a Heap-buffer-overflow vulnerability in the etterfilter utility. The crash occurs during the compilation of a filter script when the program attempts to read beyond the boundaries of an allocated data segment buffer during a memcpy operation. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: etterfilter (Ettercap utility) - Vulnerability Type: CWE-125: Out-of-bounds Read - Function: add_data_segment - Location: src/ettercap/utils/etterfilter/ef_output.c:156:4 - Root Cause Analysis: The ASAN report shows a READ of size 4 from a memory region that was only allocated 3 bytes. The buffer was allocated in ef_grammar.y during the parsing stage. When write_output is called to generate the filtered binary, add_data_segment attempts to copy the data. It appears the size passed to memcpy (or the logic determining the segment length) incorrectly assumes a minimum or specific length that exceeds the actual allocated size of the input data. ### Reproduce 1. Build ettercap with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0202/blob/main/et/repro): ``` ,/build/utils/etterfilter repro -o /dev/null ``` <details> <summary>ASAN report</summary> ``` ==77583==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000008293 at pc 0x559282ccf3d8 bp 0x7fffd8a6a1b0 sp 0x7fffd8a69968 READ of size 4 at 0x502000008293 thread T0 #0 0x559282ccf3d7 in memcpy (/src/ettercap/build/utils/etterfilter+0xcc3d7) (BuildId: 4dac266d341f1c2bbeadbaab76c7e7eba8097811) #1 0x559282d15225 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10 #2 0x559282d15225 in add_data_segment /src/ettercap/utils/etterfilter/ef_output.c:156:4 #3 0x559282d15225 in create_data_segment /src/ettercap/utils/etterfilter/ef_output.c #4 0x559282d15225 in write_output /src/ettercap/utils/etterfilter/ef_output.c:68:15 #5 0x559282d14a81 in main /src/ettercap/utils/etterfilter/ef_main.c:92:16 #6 0x7fa2c066e1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #7 0x7fa2c066e28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #8 0x559282c305e4 in _start (/src/ettercap/build/utils/etterfilter+0x2d5e4) (BuildId: 4dac266d341f1c2bbeadbaab76c7e7eba8097811) 0x502000008293 is located 0 bytes after 3-byte region [0x502000008290,0x502000008293) allocated by thread T0 here: #0 0x559282cd05fd in calloc (/src/ettercap/build/utils/etterfilter+0xcd5fd) (BuildId: 4dac266d341f1c2bbeadbaab76c7e7eba8097811) #1 0x559282d1c14b in yyparse /src/ettercap/utils/etterfilter/ef_grammar.y:243:51 SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/ettercap/build/utils/etterfilter+0xcc3d7) (BuildId: 4dac266d341f1c2bbeadbaab76c7e7eba8097811) in memcpy Shadow bytes around the buggy address: 0x502000008000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x502000008080: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x502000008100: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x502000008180: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x502000008200: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa 04 fa =>0x502000008280: fa fa[03]fa fa fa fd fa fa fa fd fa fa fa fd fd 0x502000008300: fa fa fd fd fa fa 00 04 fa fa fd fa fa fa fd fd 0x502000008380: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa 05 fa 0x502000008400: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x502000008480: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa fa fa 0x502000008500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==77583==ABORTING ``` </details>
Quelle	⚠️ https://github.com/Ettercap/ettercap/issues/1297
Benutzer	Oneafter (UID 92781)
Einreichung	21.02.2026 04:59 (vor 1 Monat)
Moderieren	05.03.2026 17:55 (13 days later)
Status	Akzeptiert
VulDB Eintrag	349218 [Ettercap 0.8.4-Garofalo etterfilter ef_output.c add_data_segment Information Disclosure]
Punkte	20

◂ Zurück Übersicht Weiter ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!