| tiêu đề | Microword Escan Antivirus For Linux 7.0.32 Stack-based Buffer Overflow |
|---|
| Mô tả | # Description and Impact
Binary /opt/MicroWorld/sbin/rtscanner is a real-time scanner runs as a system service. This binary has function removeExtraSlashes vulnerable against Stack-based Buffer Overflow.
# Root-cause
rtscanner has a feature that add absolute path of a newly created folder to "watch list". Call stack is: addWatchForDir -> isExcludedDir -> removeExtraSlashes. In function removeExtraSlashes, program uses function strcpy to copy value of absolute path to a stack at address RBP-0x400. By default, all sub folders inside /tmp/ and /home/ are being watched, hence any unprivileged user can create very long folder name to crash this program. real-time protection of Escan will be disabled as long as long folder path still exists inside /home/ or /tmp/.
# Exploit
Attacker can use a very simple python script to exploit:
import os
FOLDER = "/tmp/" + "A" * 254 + "/" + "B" * 254 + "/" + "C" * 254 + "/" + "D" * 254 + "/" + "E" * 254 + "/"
os.makedirs(FOLDER)
|
|---|
| Người dùng | FPT IS Security (UID 72751) |
|---|
| Đệ trình | 15/01/2025 12:11 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 26/01/2025 16:37 (11 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 293480 [Microword eScan Antivirus 7.0.32 trên Linux Folder Watch List rtscanner removeExtraSlashes tràn bộ đệm] |
|---|
| điểm | 17 |
|---|