[UNIX] Buffer Overflow In NOD32 Antivirus Software for UNIX

From: support@securiteam.com
Date: 02/10/03

  • Next message: support@securiteam.com: "[NT] Buffer Overflow Found in SQLBase" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 10 Feb 2003 22:03:02 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Buffer Overflow In NOD32 Antivirus Software for UNIX
    ------------------------------------------------------------------------

    SUMMARY

    Eset Software's <http://www.nod32.com/products/unix.htm> NOD32 Antivirus
    System is a cross-platform anti-virus application. The Linux, FreeBSD,
    OpenBSD, and NetBSD versions are compiled from the same sources, which the
    vendor refers to as "nod32 for UNIX". A local vulnerability in the product
    allows a local attacker to go gain elevated privileges.

    DETAILS

    Vulnerable systems:
     * NOD32 Antivirus System for UNIX version 1.012 and below

    Local exploitation of a buffer overflow in NOD32 for UNIX could allow
    attackers to gain super-user (root) privileges. The overflow occurs when
    NOD32 parses a path with a name of length greater than 500 characters
    (/tmp/AAAAA....AAA). An attacker can overwrite the first three bytes of
    the eax and ECX registers, as can be seen from the following GDB output:

    ..
    Program received signal SIGSEGV, Segmentation fault.
    0x4207fa78 in strcmp () from /lib/i686/libc.so.6
    (gdb) bt
    #0 0x4207fa78 in strcmp () from /lib/i686/libc.so.6
    #1 0x0804c2ba in scan_dir ()
    #2 0x41414141 in ?? ()
    Cannot access memory at address 0x41414141
    (gdb) info registers
    eax 0x4141414c 1094795596
    ecx 0x4141414c 1094795596
    ..

    Analysis:
    Exploitation allows local code execution with the privileges of the user
    who spawned NOD32. This is possible by creating an exploit path and then
    socially engineering a target user into scanning over the exploit path
    using NOD32. If the attacker has write permissions to a directory that is
    routinely scanned with NOD32 (such as /tmp), he or she can gain the
    privileges of the scanning user (usually root).

    Proof of concept exploit code has been written for the FreeBSD 4.7
    platform. The following is a sample exploit run that should set up shell
    code in an environment variable and spawn a shell under the privileges of
    the user executing NOD32:

    $ perl eggnod.pl
    $ mkdir -p /tmp/`perl -e 'print "A" x 255'`/`perl -e 'print "B" x 240 .
    "\xfc\xbf\xbf"'`
    $ nod32 /tmp

    Vendor fix:
    The latest version 1.013 fixes the issue and can be downloaded from
    <http://www.nod32.com> http://www.nod32.com

    Disclosure timeline:
    12/03/2003 Issue disclosed to iDEFENSE
    01/28/2003 Eset Software notified (webmaster@nod32.com)
    01/28/2003 iDEFENSE clients notified
    02/03/2003 Response received from Palo Luka (luka@eset.sk)
    02/10/2003 Coordinated Public Disclosure

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.idefense.com/advisory/02.10.03.txt>
    http://www.idefense.com/advisory/02.10.03.txt

    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, a vulnerability was discovered by <mailto:knud@skodliv.dk>
    Knud Erik Højgaard.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.