[linux-misc] [Fwd: iDEFENSE Security Advisory 04.14.04: Buffer Overflow in ISO9660 File System Component of Linux Kernel]

Markus Wernig markus at wernig.net
Thu Apr 15 09:43:04 CEST 2004


Der ist ja mal nett ...

-----Forwarded Message-----
> From: idlabs-advisories at idefense.com
> To: idlabs-advisories at idefense.com
> Subject: iDEFENSE Security Advisory 04.14.04: Buffer Overflow in ISO9660 File System Component of Linux Kernel
> Date: Wed, 14 Apr 2004 17:01:58 -0400
> 
> Buffer Overflow in ISO9660 File System Component of Linux Kernel
> 
> iDEFENSE Security Advisory 04.14.04
> www.idefense.com/application/poi/display?id=101&type=vulnerabilities
> April 14, 2004
> 
> I. BACKGROUND
> 
> Linux is a free Unix-type operating system originally created by Linus
> Torvalds with the assistance of developers around the world. The 'isofs'
> component of the Linux kernel mediates file system interactions with
> ISO-9660 format CD-ROMs.
> 
> II. DESCRIPTION
> 
> The Linux kernel performs no length checking on symbolic links stored on
> an ISO9660 file system, allowing a malformed CD to perform an arbitrary
> length overflow in kernel memory.
> 
> Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
> extension to the standard format. The vulnerability can be triggered by
> performing a directory listing on a maliciously constructed ISO file
> system, or attempting to access a file via a malformed symlink on such a
> file system. Many distributions allow local users to mount CDs, which
> makes them potentially vulnerable to local elevation attacks.
> 
> The relevant functions are as follows:
> 
> fs/isofs/rock.c: rock_ridge_symlink_readpage()
> fs/isofs/rock.c: get_symlink_chunk()
> 
> There is no checking that the total length of the symlink being read is
> less than the memory space that has been allocated for storing it. By
> supplying many CE (continuation) records, each with another SL (symlink)
> chunk, it is possible for an attacker to build an arbitrary length data
> structure in kernel memory space.
> 
> A proof of concept exploit has been written that allows a local user to
> gain root level access. It is also possible to cause execution of code
> with kernel privileges.
> 
> III. ANALYSIS
> 
> In order to exploit this vulnerability, an attacker must be able to
> mount a maliciously constructed file system. This may be accomplished by
> the following:
> 
> a. Having an account on the machine to be compromised and inserting a
> malformed disk. Some distributions allow local users to mount removable
> media without needing to be root and with some configurations. This
> happens automatically when a disk is inserted. The proof of concept
> exploit works from floppy disk as well as CD-ROM.
> 
> If the attacker can reboot the machine from his or her own media or
> supply command line options to the kernel during the initialization
> process after rebooting, exploiting this vulnerability may not be
> necessary to gain further access. In this situation, the attacker will
> not be able to directly access any encrypted file systems.
> 
> b. If encrypted virtual file systems are implemented, and the attacker
> gains access to an account able to mount one, then an attacker may be
> able to mount his or her own maliciously formed file system via the
> encryption interface. This would allow them access to any already
> mounted file systems.
> 
> c. Being root already. If the attacker has already gained root, but the
> kernel has some form of patch preventing root being able to perform
> certain functions, he or she may still be able to mount a file system.
> As the vulnerability occurs in kernel space, it may be possible for them
> to neutralize the restrictions.
> 
> IV. DETECTION
> 
> The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel
> implementations may also be vulnerable.
> 
> V. WORKAROUNDS
> 
> Disable user mounting of removable media devices.
> 
> VI. VENDOR RESPONSE
> 
> Affected vendors have provided the following comments/patches:
> 
> Slackware
> 
> "Slackware will be waiting for a new upstream kernel version that will
> address this issue.  None of our existing releases allow a non-root user
> to mount a CD-ROM, and the exploit requires physical access to the
> machine"
> 
> SUSE
> 
> "SUSE Security have published a SUSE Security Announcement at
> http://www.suse.de/security/ and update packages that fix the
> vulnerability. The update packages are available for download at
> ftp://ftp.suse.com/pub/suse/i386/update/<release>/rpm/i586/, but we
> encourage our users to make use of the YOU (Yast Online Update) utility
> for quick and secure installation of security updates."
> 
> Debian
> 
> http://www.security.debian.org/2004/dsa-479   alpha+ia32+powerpc
> http://www.security.debian.org/2004/dsa-480   hppa
> http://www.security.debian.org/2004/dsa-481   ia64
> http://www.security.debian.org/2004/dsa-482   powerpc/apus
> http://www.security.debian.org/2004/dsa-483   mips+mipsel
> 
> Mandrake Linux
> 
> MDKSA-2004:029
> www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CAN-2004-0109 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> January 9, 2004      Exploit acquired by iDEFENSE
> February 20, 2004    Initial vendor notification
> February 20, 2004    iDEFENSE clients notified
> April 14, 2004       Coordinated public disclosure
> 
> IX. CREDIT
> 
> Greg MacManus (iDEFENSE Labs) is credited with this discovery.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2004 iDEFENSE, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice at idefense.com for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
-- 
***************************************************

 Markus Wernig

 UNIX/Network and Security Engineer
 GPG - http://markus.wernig.net/pubkey
- -------------------------------------------------
 Linux User Group Bern - http://www.lugbe.ch
 Kampagne f. Freie Software: http://wilhelmtux.ch
***************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.lugbe.ch/vpipermail/linux-misc/attachments/20040415/cdcfff06/attachment.bin


More information about the Linux-misc mailing list