<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Yasr - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/yasr/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/yasr/feed.xml" rel="self" type="application/rss+xml"/><item><title>Yasr 0.6.9-5 Buffer Overflow Vulnerability (CVE-2016-20041)</title><link>https://feed.craftedsignal.io/briefs/2024-01-yasr-buffer-overflow/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-yasr-buffer-overflow/</guid><description>Yasr version 0.6.9-5 is vulnerable to a buffer overflow, allowing local attackers to potentially crash the application or execute arbitrary code by providing an overly large argument to the '-p' parameter.</description><content:encoded><![CDATA[<p>Yasr version 0.6.9-5 is susceptible to a buffer overflow vulnerability identified as CVE-2016-20041. This vulnerability allows a local attacker to potentially crash the application or achieve arbitrary code execution. The attack vector involves supplying a maliciously crafted, oversized argument to the <code>-p</code> parameter when invoking the <code>yasr</code> binary. This could lead to a compromise of the system if successfully exploited. Defenders should focus on monitoring command-line arguments and patching vulnerable systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains local access to the system.</li>
<li>Attacker crafts a malicious payload containing junk data, shellcode, and a return address.</li>
<li>Attacker invokes the <code>yasr</code> binary with the <code>-p</code> parameter, supplying the crafted payload as its argument.</li>
<li>The <code>yasr</code> application attempts to process the oversized argument without proper bounds checking.</li>
<li>The crafted payload overwrites the stack, including critical data such as return addresses.</li>
<li>The application attempts to return from a function, but instead jumps to the attacker-controlled shellcode.</li>
<li>The attacker's shellcode executes with the privileges of the <code>yasr</code> process.</li>
<li>Attacker achieves arbitrary code execution, potentially compromising the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2016-20041 can lead to a denial-of-service condition (application crash) or, more severely, arbitrary code execution with the privileges of the <code>yasr</code> process. The number of potential victims depends on the prevalence of <code>yasr</code> version 0.6.9-5 in local environments. If exploited, attackers could gain unauthorized access to sensitive data or further compromise the affected system.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process creation events for invocations of <code>yasr</code> with unusually long arguments to the <code>-p</code> parameter, using the process_creation Sigma rule provided.</li>
<li>Consider implementing application control or whitelisting to restrict the execution of <code>yasr</code> to authorized users and use cases.</li>
<li>Although patching is not possible due to the age of this software, consider removing this software from production to mitigate against exploitation of CVE-2016-20041.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>buffer-overflow</category><category>local-privilege-escalation</category><category>cve-2016-20041</category></item></channel></rss>