On Tue, 4 Dec 2001, ALoR wrote: > <full disclosure> > the problem was a forgotten "printf(buffer)" in the Interface_WExit(char > *buffer) function. > so to fix it simply replace the line 1252 of ec_interface.c with > printf("%s", buffer); > </full disclosure> among other problems. analysis of the gobbles exploit [1] shows its abuse of the update process that gets done. in src/ec_main.c: 441 void Main_Check_NewRelease(void) [snip] 532 if (answer == 'y' || answer == 'Y') 533 { 534 char wget[100]; 535 sprintf(wget, "wget http://%s/download/ettercap-%s.tar.gz", host, latest); 536 system(wget); 537 } so i set my path to be .:$PATH and make my own wget, and what gets executed is ./wget. an example one i got to work is: #!/bin/sh id it honors the permissions of the caller ... this is just executing ettercap -v, the update path ... yeah. there are some format string problems. and there are probably a bunch of other problems. the one gobbles was seeing was likely caused by the error function 'void Error_msg(char *message, ...)' which doesn't do any formatting. you have many issues to fix in the code, it appears. i would disblae the suid option. yeah, its moronic to install it suid root. however even marginaly respecting it (and dropping your priv checks) is a bad idea until you can more agressively audit the code, a time consuming process, yes. it's a nice tool, i hope you can fix the problems in it. notes [1] if you dont know where to get gobbles goods by now ... pay more attention. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 14:20:47 PST