On Tue, 4 Dec 2001, ALoR wrote:
> <full disclosure>
> the problem was a forgotten "printf(buffer)" in the Interface_WExit(char
> *buffer) function.
> so to fix it simply replace the line 1252 of ec_interface.c with
> printf("%s", buffer);
> </full disclosure>
among other problems. analysis of the gobbles exploit [1] shows its abuse
of the update process that gets done. in src/ec_main.c:
441 void Main_Check_NewRelease(void)
[snip]
532 if (answer == 'y' || answer == 'Y')
533 {
534 char wget[100];
535 sprintf(wget, "wget
http://%s/download/ettercap-%s.tar.gz", host, latest);
536 system(wget);
537 }
so i set my path to be .:$PATH and make my own wget, and what gets
executed is ./wget. an example one i got to work is:
#!/bin/sh
id
it honors the permissions of the caller ... this is just executing
ettercap -v, the update path ...
yeah. there are some format string problems. and there are probably a
bunch of other problems. the one gobbles was seeing was likely caused by
the error function 'void Error_msg(char *message, ...)' which doesn't do
any formatting.
you have many issues to fix in the code, it appears. i would disblae the
suid option. yeah, its moronic to install it suid root. however even
marginaly respecting it (and dropping your priv checks) is a bad idea
until you can more agressively audit the code, a time consuming process,
yes. it's a nice tool, i hope you can fix the problems in it.
notes
[1] if you dont know where to get gobbles goods by now ... pay more
attention.
____________________________
jose nazario jose_at_cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Received on Dec 04 2001
Intro
