제출 #813142: Ettercap <=v0.8.4 Heap-based Buffer Overflow정보

제목	Ettercap <=v0.8.4 Heap-based Buffer Overflow
설명	# Heap Buffer Overflow in GG Dissector (Network-Triggered) ## Summary A heap-based buffer overflow exists in the GG (Gadu-Gadu) dissector due to improper bounds checking when copying attacker-controlled data into a fixed-size buffer. The vulnerability is triggered via network traffic and does not require authentication. --- ## Technical Details A heap buffer (`tbuf2`) is allocated with a fixed size of 71 bytes: However, the length used in `strncpy` is derived directly from the attacker-controlled `gg->len` field: ``` if ((int)gg->len - 22 < 0) return NULL; strncpy(tbuf2, gg_login50->description, gg->len - 22); tbuf2[gg->len - 22] = '\0'; ``` ### Issue - No upper bound check is performed against the allocated buffer size (71 bytes) - Only a negativity check is applied - Results in: - Heap overflow via `strncpy` - Additional out-of-bounds write via null terminator --- ## Affected Variants \| Command \| Offset \| Overflow Condition \| \|----------------------\|--------\|------------------------\| \| GG_LOGIN50_CMD \| 22 \| gg->len > 93 \| \| GG_LOGIN60_CMD \| 31 \| gg->len > 102 \| \| GG_LOGIN70_CMD \| 92 \| gg->len > 163 \| \| GG_NEW_STATUS_CMD \| 4 \| gg->len > 75 \| --- ## Root Cause The guard condition: ``` if ((gg->len) != ((PACKET->DATA.len) - 8)) return NULL; ``` ensures consistency but does not prevent exploitation. Since the attacker controls the full TCP packet size, they fully control `gg->len`. --- ## Impact - Heap buffer overflow - Potential memory corruption - Possible denial of service (DoS) - Potential for further exploitation depending on heap layout --- ## Reachability - Triggered automatically when Ettercap processes GG traffic on TCP port 8074 - No authentication required - Attacker must be: - On the same network segment, or - In a Man-in-the-Middle (MITM) position --- ## Reproduction Steps 1. Run Ettercap: ``` ettercap -T -i eth0 ``` 2. Ensure traffic on TCP port 8074 is being sniffed 3. Send the crafted packet 4. Observe crash / memory corruption --- ## Valgrind Evidence ``` Invalid write of size 8 ... Address 0x9223509 is 25 bytes inside a block of size 30 alloc'd ... * buffer overflow detected *: terminated ``` --- ## Conclusion The vulnerability is confirmed exploitable due to: - Fully attacker-controlled length (`gg->len`) - Lack of upper-bound validation - Direct unsafe memory operations ---
원천	⚠️ https://github.com/Ettercap/ettercap/issues/1306
사용자	dapickle (UID 97309)
제출	2026. 04. 25. PM 07:59 (1 월 ago)
모더레이션	2026. 05. 23. PM 12:28 (28 days later)
상태	수락
VulDB 항목	365328 [Ettercap 까지 0.8.3 GG Dissector src/dissectors/ec_gg.c FUNC_DECODER gg 메모리 손상]
포인트들	20

◂ 이전 개요 다음 ▸

Do you know our Splunk app?

Download it now for free!