Bettercap Zerogod IPP Service Integer Coercion Vulnerability Leading to Remote Denial-of-Service

An integer coercion vulnerability has been identified in Bettercap versions prior to 2.41.5, specifically within the Zerogod IPP Service module. The issue arises in the 'ippReadChunkedBody' function, where improperly validated chunk sizes in HTTP/1.1 Transfer-Encoding: chunked requests can be exploited. This flaw allows for an out-of-bounds allocation of memory, causing a runtime panic that crashes the Bettercap process. The vulnerability can be triggered remotely by sending a crafted HTTP request with a chunk size that exceeds the maximum limit, effectively leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes Bettercap to crash, terminating the entire process. This disruption can be leveraged as a remote denial-of-service attack.

Reproduction

To reproduce this vulnerability, Bettercap must be started with the Zerogod module advertising an IPP service. Once the service is active and listening on the specified port, a crafted HTTP request can be sent from another machine on the same network. This request should include an 'Expect: 100-continue' header and a 'Transfer-Encoding: chunked' specification, followed by a chunk size that exceeds the maximum allowed limit. The server's failure to properly handle this request will result in a crash, demonstrating the vulnerability.

Remediation

Users are advised to update to Bettercap version 2.41.5 or later, where this vulnerability has been patched.