Friday, 2 March 2018

unhide (part #1)

In the Linux package unhide, which is rootkit detection software.

 // Temporary string for output
char scratch[1000] ;
char cmdcont[1000] ;

...

               size_t length ;
               char myexe[512] ;

               sprintf(myexe,"%s%s/exe",mypath,directory);
//               printf("%s\n",myexe);

               length = readlink(myexe, cmdcont, 1000) ;

This use of readlink() is in a few places in the code. The trouble is that PATH_MAX isn't 1000.

# getconf -a|grep PATH_MAX
PATH_MAX                           4096
_POSIX_PATH_MAX                    4096

This probably leads to a rootkit bypass for unhide.
at

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...