Skip to content
Threat Feed
high advisory

Yasr 0.6.9-5 Buffer Overflow Vulnerability (CVE-2016-20041)

Yasr version 0.6.9-5 is vulnerable to a buffer overflow, allowing local attackers to potentially crash the application or execute arbitrary code by providing an overly large argument to the '-p' parameter.

Yasr version 0.6.9-5 is susceptible to a buffer overflow vulnerability identified as CVE-2016-20041. This vulnerability allows a local attacker to potentially crash the application or achieve arbitrary code execution. The attack vector involves supplying a maliciously crafted, oversized argument to the -p parameter when invoking the yasr binary. This could lead to a compromise of the system if successfully exploited. Defenders should focus on monitoring command-line arguments and patching vulnerable systems.

Attack Chain

  1. Attacker gains local access to the system.
  2. Attacker crafts a malicious payload containing junk data, shellcode, and a return address.
  3. Attacker invokes the yasr binary with the -p parameter, supplying the crafted payload as its argument.
  4. The yasr application attempts to process the oversized argument without proper bounds checking.
  5. The crafted payload overwrites the stack, including critical data such as return addresses.
  6. The application attempts to return from a function, but instead jumps to the attacker-controlled shellcode.
  7. The attacker's shellcode executes with the privileges of the yasr process.
  8. Attacker achieves arbitrary code execution, potentially compromising the system.

Impact

Successful exploitation of CVE-2016-20041 can lead to a denial-of-service condition (application crash) or, more severely, arbitrary code execution with the privileges of the yasr process. The number of potential victims depends on the prevalence of yasr version 0.6.9-5 in local environments. If exploited, attackers could gain unauthorized access to sensitive data or further compromise the affected system.

Recommendation

  • Monitor process creation events for invocations of yasr with unusually long arguments to the -p parameter, using the process_creation Sigma rule provided.
  • Consider implementing application control or whitelisting to restrict the execution of yasr to authorized users and use cases.
  • Although patching is not possible due to the age of this software, consider removing this software from production to mitigate against exploitation of CVE-2016-20041.

Detection coverage 2

Detect Yasr Buffer Overflow Attempt via Long Argument

high

Detects potential buffer overflow attempts in Yasr by monitoring for unusually long arguments passed to the -p parameter.

sigma tactics: execution techniques: T1068 sources: process_creation, linux

Detect Yasr Invocation with Shellcode

medium

Detects potential buffer overflow attempts in Yasr by monitoring for shellcode patterns in the command line.

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →