Skip to content
Permalink
Browse files

add information for CVE-2013-0722

  • Loading branch information...
mudongliang committed May 19, 2018
1 parent a1c67f8 commit 89592c1396b3bec7a5b63d6ebffe507f85aef1d0
Showing with 50 additions and 1 deletion.
  1. +49 −0 CVE-2013-0722/README.md
  2. +1 −1 README.md
@@ -2,14 +2,63 @@

## Experiment Environment

Ubuntu 14.04.5

Kali Linux

Ubuntu 12.04

## INSTALL & Configuration

```
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2013-0722/ettercap-0.7.5.1.tar.gz
tar -xvf ettercap-0.7.5.1.tar.gz
cd ettercap-0.7.5.1
mkdir build
cd build
cmake ../
make
```


## Problems in Installation & Configuration


## How to trigger vulnerability

```
cd src/
sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow
```

## PoCs

[Ettercap 0.7.5.1 - Stack Overflow](https://www.exploit-db.com/exploits/23945/)

[Ettercap Multiple Stack Buffer Overflow Vulnerabilities](https://www.securityfocus.com/bid/57175/exploit) **Note:** this poc description has some unmalformed html element.

## Vulnerability Patch

### Root Cause

A stack-based buffer overflow was reported [1],[2] in Ettercap <= 0.7.5.1. A boundary error within the scan_load_hosts() function (in src/ec_scan.c), when parsing entries from a hosts list, could be exploited to cause a stack-based buffer overflow via an overly long entry. In order to exploit this, a user must be tricked into loading a malicious host file.

### Stack Trace

### Patch

--- EC-vulnerable/src/ec_scan.c
+++ EC-fixed/src/ec_scan.c
@@ -630,7 +630,7 @@
for (nhosts = 0; !feof(hf); nhosts++) {
int proto;

- if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 ||
+ if (fscanf(hf, "%"EC_TOSTRING(MAX_ASCII_ADDR_LEN)"s %"EC_TOSTRING(ETH_ASCII_ADDR_LEN)"s %"EC_TOSTRING(MAX_HOSTNAME_LEN)"s\n", ip, mac, name) != 3 ||
*ip == '#' || *mac == '#' || *name == '#')
continu
## References
[CVE-2013-0722 ettercap: stack-based buffer overflow when parsing hosts list](https://bugzilla.redhat.com/show_bug.cgi?id=894092)
@@ -147,7 +147,7 @@ If the vulnerability has both CVE-ID and EDB-ID, CVE-ID is preferred as its dire
- [x] CVE-2013-0221
- [x] CVE-2013-0222
- [x] CVE-2013-0223
- [ ] CVE-2013-0722
- [x] CVE-2013-0722
- [x] CVE-2013-2028
- [ ] CVE-2013-2131
- [ ] CVE-2013-3724

0 comments on commit 89592c1

Please sign in to comment.
You can’t perform that action at this time.