| عنوان | Novastar CX40 / NetFilter Utility <=2.44.0 firmwares Memory Corruption |
|---|
| الوصف | Novastar uses various propitiatory utilities to perform actions on their devices, one of them is ``/usr/nova/bin/netconfig``, which as the name suggests, handles the device's network configuration.
This network configuration utility receives input from `getopt()` without size limitations. So when the returned buffer pointer is parsed later on to the fixed-size stack variables ``cmd``, ``netmask``, ``pipeout``, `nettask` a stack overflow could occur if the user were to input a parameter that's larger than 256 characters in length.
```c
char netmask[256]; // [xsp+28h] [xbp+28h] BYREF
char nettask[256]; // [xsp+128h] [xbp+128h] BYREF
char pipeout[256]; // [xsp+228h] [xbp+228h] BYREF
char cmd[256]; // [xsp+328h] [xbp+328h] BYREF
...
// receiving user input
opt = getopt(argc, (char *const *)argv, "d:s:i:n:g:p:");
...
// parsing action
if ( opt == 0x73 )
{
op_type = 2;
if_name = optarg;
}
...
// formatting user input parameters into the fixed size cmd buffer -> stack overflow
sprintf(cmd, "/sbin/ip addr del %s/%d dev %s", nettask, v10, if_name); |
|---|
| المستخدم | ninpwn (UID 82253) |
|---|
| ارسال | 21/03/2025 09:01 PM (1 سنة منذ) |
|---|
| الاعتدال | 30/03/2025 10:33 PM (9 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 302057 [Novastar CX40 حتى 2.44.0 NetFilter Utility /usr/nova/bin/netconfig getopt cmd/netmask/pipeout/nettask تلف الذاكرة] |
|---|
| النقاط | 17 |
|---|