Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: sb5984.htm

NOD32 Antivirus Software for Unix Buffer Overflow
11th Feb 2003 [SBWID-5984]

	NOD32 Antivirus Software for Unix Buffer Overflow


	NOD32 Antivirus System for Unix version 1.012 and below is vulnerable


	In iDEFENSE Security Advisory [02.10.03] :
	With credits to Knud Erik Højgaard [],
	Local exploitation of a buffer overflow in NOD32 for  UNIX  could  allow
	attackers to gain super-user  (root)  privileges.  The  overflow  occurs
	when NOD32 parses a  path  with  a  name  of  length  greater  than  500
	characters (/tmp/AAAAA....AAA). An  attacker  can  overwrite  the  first
	three bytes of the eax and ecx  registers,  as  can  be  seen  from  the
	following GDB output:
	Program received signal SIGSEGV, Segmentation fault.
	0x4207fa78 in strcmp () from /lib/i686/
	(gdb) bt
	#0 0x4207fa78 in strcmp () from /lib/i686/
	#1 0x0804c2ba in scan_dir ()
	#2 0x41414141 in ?? ()
	Cannot access memory at address 0x41414141
	(gdb) info registers
	eax 0x4141414c 1094795596
	ecx 0x4141414c 1094795596
	Exploitation allows local code execution  with  the  privileges  of  the
	user who spawned NOD32. This is possible by  creating  an  exploit  path
	and then socially engineering a  target  user  into  scanning  over  the
	exploit path using NOD32. If the attacker has  write  permissions  to  a
	directory that is routinely scanned with NOD32 (such  as  /tmp),  he  or
	she can gain the privileges of the scanning user (usually root).
	Proof of concept exploit code has  been  written  for  the  FreeBSD  4.7
	platform. The following is a sample  exploit  run  that  should  set  up
	shell code in an environment  variable  and  spawn  a  shell  under  the
	privileges of the user executing NOD32:
	$ perl
	$ mkdir -p /tmp/`perl -e 'print "A" x 255'`/`perl -e 'print "B" x 240 .
	$ nod32 /tmp


	The latest version 1.013 fixes the issue and can be downloaded from

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH