| Titolo | Novastar CX40 / NetFilter Utility <=2.44.0 firmwares Memory Corruption |
|---|
| Descrizione | Novastar uses various propitiatory utilities to perform actions on their devices, one of them is ``/usr/nova/bin/netconfig``, which as the name suggests, handles the device's network configuration.
This network configuration utility receives input from `getopt()` without size limitations. So when the returned buffer pointer is parsed later on to the fixed-size stack variables ``cmd``, ``netmask``, ``pipeout``, `nettask` a stack overflow could occur if the user were to input a parameter that's larger than 256 characters in length.
```c
char netmask[256]; // [xsp+28h] [xbp+28h] BYREF
char nettask[256]; // [xsp+128h] [xbp+128h] BYREF
char pipeout[256]; // [xsp+228h] [xbp+228h] BYREF
char cmd[256]; // [xsp+328h] [xbp+328h] BYREF
...
// receiving user input
opt = getopt(argc, (char *const *)argv, "d:s:i:n:g:p:");
...
// parsing action
if ( opt == 0x73 )
{
op_type = 2;
if_name = optarg;
}
...
// formatting user input parameters into the fixed size cmd buffer -> stack overflow
sprintf(cmd, "/sbin/ip addr del %s/%d dev %s", nettask, v10, if_name); |
|---|
| Utente | ninpwn (UID 82253) |
|---|
| Sottomissione | 21/03/2025 21:01 (1 Anno fa) |
|---|
| Moderazione | 30/03/2025 22:33 (9 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 302057 [Novastar CX40 fino a 2.44.0 NetFilter Utility /usr/nova/bin/netconfig getopt cmd/netmask/pipeout/nettask buffer overflow] |
|---|
| Punti | 17 |
|---|