| 2011-03-29 17:46:23 |
Zubin Mithra |
description |
Binary package hint: avra
There is a buffer overflow bug in avra1.2.3a which might lead to memory corruption, at the very most. Privilege escalation not any kind of local exploitation is expected as it runs with the privileges of the current user.
Tracing the control flow during static analysis gives the following:-
load_arg_defines has an `strcpy(buff, define->data)` where buff is declared as `char buff[256];`. In order to inspect the values of data, we look at `struct prog_info *pi`; or rather the `args` argument of `pi`.
Memory is allocated for `args` in `alloc_args`(args.c) and values are set for it in `read_args`. Please note the lines:-
if(args->arg[j].type != ARGTYPE_STRING_MULTISINGLE)
args->arg[j].data = argv[++i];
Evidently, at some point, the value depends on command line input and this input can be used to overflow the `buff` array. |
Binary package hint: avra
There is a buffer overflow bug in avra1.2.3a which might lead to memory corruption, at the very most. Privilege escalation nor any kind of local exploitation is expected as it runs with the privileges of the current user.
Tracing the control flow during static analysis gives the following:-
load_arg_defines has an `strcpy(buff, define->data)` where buff is declared as `char buff[256];`. In order to inspect the values of data, we look at `struct prog_info *pi`; or rather the `args` argument of `pi`.
Memory is allocated for `args` in `alloc_args`(args.c) and values are set for it in `read_args`. Please note the lines:-
if(args->arg[j].type != ARGTYPE_STRING_MULTISINGLE)
args->arg[j].data = argv[++i];
Evidently, at some point, the value depends on command line input and this input can be used to overflow the `buff` array. |
|
