Отправить #813142: Ettercap <=v0.8.4 Heap-based Buffer OverflowИнформация

Название	Ettercap <=v0.8.4 Heap-based Buffer Overflow
Описание	# Heap Buffer Overflow in GG Dissector (Network-Triggered) ## Summary A heap-based buffer overflow exists in the GG (Gadu-Gadu) dissector due to improper bounds checking when copying attacker-controlled data into a fixed-size buffer. The vulnerability is triggered via network traffic and does not require authentication. --- ## Technical Details A heap buffer (`tbuf2`) is allocated with a fixed size of 71 bytes: However, the length used in `strncpy` is derived directly from the attacker-controlled `gg->len` field: ``` if ((int)gg->len - 22 < 0) return NULL; strncpy(tbuf2, gg_login50->description, gg->len - 22); tbuf2[gg->len - 22] = '\0'; ``` ### Issue - No upper bound check is performed against the allocated buffer size (71 bytes) - Only a negativity check is applied - Results in: - Heap overflow via `strncpy` - Additional out-of-bounds write via null terminator --- ## Affected Variants \| Command \| Offset \| Overflow Condition \| \|----------------------\|--------\|------------------------\| \| GG_LOGIN50_CMD \| 22 \| gg->len > 93 \| \| GG_LOGIN60_CMD \| 31 \| gg->len > 102 \| \| GG_LOGIN70_CMD \| 92 \| gg->len > 163 \| \| GG_NEW_STATUS_CMD \| 4 \| gg->len > 75 \| --- ## Root Cause The guard condition: ``` if ((gg->len) != ((PACKET->DATA.len) - 8)) return NULL; ``` ensures consistency but does not prevent exploitation. Since the attacker controls the full TCP packet size, they fully control `gg->len`. --- ## Impact - Heap buffer overflow - Potential memory corruption - Possible denial of service (DoS) - Potential for further exploitation depending on heap layout --- ## Reachability - Triggered automatically when Ettercap processes GG traffic on TCP port 8074 - No authentication required - Attacker must be: - On the same network segment, or - In a Man-in-the-Middle (MITM) position --- ## Reproduction Steps 1. Run Ettercap: ``` ettercap -T -i eth0 ``` 2. Ensure traffic on TCP port 8074 is being sniffed 3. Send the crafted packet 4. Observe crash / memory corruption --- ## Valgrind Evidence ``` Invalid write of size 8 ... Address 0x9223509 is 25 bytes inside a block of size 30 alloc'd ... * buffer overflow detected *: terminated ``` --- ## Conclusion The vulnerability is confirmed exploitable due to: - Fully attacker-controlled length (`gg->len`) - Lack of upper-bound validation - Direct unsafe memory operations ---
Источник	⚠️ https://github.com/Ettercap/ettercap/issues/1306
Пользователь	dapickle (UID 97309)
Представление	25.04.2026 19:59 (1 месяц назад)
Модерация	23.05.2026 12:28 (28 days later)
Статус	принято
Запись VulDB	365328 [Ettercap до 0.8.3 GG Dissector src/dissectors/ec_gg.c FUNC_DECODER gg повреждение памяти]
Баллы	20

◂ Предыдущий Обзор Далее ▸

Might our Artificial Intelligence support you?

Check our Alexa App!