| 제목 | Novastar CX40 / NetFilter Utility <=2.44.0 firmwares Memory Corruption |
|---|
| 설명 | Novastar uses various propitiatory utilities to perform actions on their devices, one of them is ``/usr/nova/bin/netconfig``, which as the name suggests, handles the device's network configuration.
This network configuration utility receives input from `getopt()` without size limitations. So when the returned buffer pointer is parsed later on to the fixed-size stack variables ``cmd``, ``netmask``, ``pipeout``, `nettask` a stack overflow could occur if the user were to input a parameter that's larger than 256 characters in length.
```c
char netmask[256]; // [xsp+28h] [xbp+28h] BYREF
char nettask[256]; // [xsp+128h] [xbp+128h] BYREF
char pipeout[256]; // [xsp+228h] [xbp+228h] BYREF
char cmd[256]; // [xsp+328h] [xbp+328h] BYREF
...
// receiving user input
opt = getopt(argc, (char *const *)argv, "d:s:i:n:g:p:");
...
// parsing action
if ( opt == 0x73 )
{
op_type = 2;
if_name = optarg;
}
...
// formatting user input parameters into the fixed size cmd buffer -> stack overflow
sprintf(cmd, "/sbin/ip addr del %s/%d dev %s", nettask, v10, if_name); |
|---|
| 사용자 | ninpwn (UID 82253) |
|---|
| 제출 | 2025. 03. 21. PM 09:01 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 03. 30. PM 10:33 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 302057 [Novastar CX40 까지 2.44.0 NetFilter Utility /usr/nova/bin/netconfig getopt cmd/netmask/pipeout/nettask 메모리 손상] |
|---|
| 포인트들 | 17 |
|---|