| Título | Novastar CX40 / NetFilter Utility <=2.44.0 firmwares Memory Corruption |
|---|
| Descripción | Novastar uses various propitiatory utilities to perform actions on their devices, one of them is ``/usr/nova/bin/netconfig``, which as the name suggests, handles the device's network configuration.
This network configuration utility receives input from `getopt()` without size limitations. So when the returned buffer pointer is parsed later on to the fixed-size stack variables ``cmd``, ``netmask``, ``pipeout``, `nettask` a stack overflow could occur if the user were to input a parameter that's larger than 256 characters in length.
```c
char netmask[256]; // [xsp+28h] [xbp+28h] BYREF
char nettask[256]; // [xsp+128h] [xbp+128h] BYREF
char pipeout[256]; // [xsp+228h] [xbp+228h] BYREF
char cmd[256]; // [xsp+328h] [xbp+328h] BYREF
...
// receiving user input
opt = getopt(argc, (char *const *)argv, "d:s:i:n:g:p:");
...
// parsing action
if ( opt == 0x73 )
{
op_type = 2;
if_name = optarg;
}
...
// formatting user input parameters into the fixed size cmd buffer -> stack overflow
sprintf(cmd, "/sbin/ip addr del %s/%d dev %s", nettask, v10, if_name); |
|---|
| Usuario | ninpwn (UID 82253) |
|---|
| Sumisión | 2025-03-21 21:01 (hace 1 Año) |
|---|
| Moderación | 2025-03-30 22:33 (9 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 302057 [Novastar CX40 hasta 2.44.0 NetFilter Utility /usr/nova/bin/netconfig getopt cmd/netmask/pipeout/nettask desbordamiento de búfer] |
|---|
| Puntos | 17 |
|---|