From the Red Hat bugzilla entry:
The GTK version of ettercap uses a global settings file
at /tmp/.ettercap_gtk and does not verify ownership of this
file. When parsing this file for settings in gtkui_conf_read()
(src/interfaces/gtk/ec_gtk_conf.c), an unchecked sscanf() call allows a
maliciously placed settings file to overflow a statically-sized buffer
on the stack. Stack-smashing protection catches it, but it still should
be fixed.
Verify with:
$ perl -e 'print "A"x500' > /tmp/.ettercap_gtk && ettercap -G
Firstly, the settings file should not be globally accessible without
checking ownership, which still gets hairy because an attacker could
create a symlink or hard link to a victim-controlled file (unless you're
using YAMA :p). The best thing would probably be to keep this file in
the user's home directory instead.
Secondly, parsing configuration files should be robust against malformed
input and not susceptible to trivial buffer overflows. | 