[UNIX] Buffer Overflow in ISO9660 File System Component of Linux Kernel

• Previous message: SecuriTeam: "[NT] ADA Image Server (ImgSvr) Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Apr 2004 19:30:27 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Buffer Overflow in ISO9660 File System Component of Linux Kernel
------------------------------------------------------------------------

SUMMARY

Linux is a free Unix-type operating system originally created by Linus
Torvalds with the assistance of developers around the world. The 'isofs'
component of the Linux kernel mediates file system interactions with
ISO-9660 format CD-ROMs. The Linux kernel performs no length checking on
symbolic links stored on an ISO9660 file system, allowing a malformed CD
to perform an arbitrary length overflow in kernel memory.

DETAILS

Vulnerable Systems:
 * Linux kernel versions 2.4.x, 2.5.x and 2.6.x. Other kernel
implementations may also be vulnerable.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0109>
CAN-2004-0109

Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the standard format. The vulnerability can be triggered by
performing a directory listing on a maliciously constructed ISO file
system, or attempting to access a file via a malformed symlink on such a
file system. Many distributions allow local users to mount CDs, which
makes them potentially vulnerable to local elevation attacks.

Vulnerable Code:
The relevant functions are as follows:

fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()

There is no checking that the total length of the symlink being read is
less than the memory space that has been allocated for storing it. By
supplying many CE (continuation) records, each with another SL (symlink)
chunk, it is possible for an attacker to build an arbitrary length data
structure in kernel memory space. A proof of concept exploit has been
written that allows a local user to
gain root level access. It is also possible to cause execution of code
with kernel privileges.

In order to exploit this vulnerability, an attacker must be able to mount
a maliciously constructed file system. This may be accomplished by the
following:

 * Having an account on the machine to be compromised and inserting a
malformed disk. Some distributions allow local users to mount removable
media without needing to be root and with some configurations. This
happens automatically when a disk is inserted. The proof of concept
exploit works from floppy disk as well as CD-ROM. If the attacker can
reboot the machine from his or her own media or supply command line
options to the kernel during the initialization process after rebooting,
exploiting this vulnerability may not be necessary to gain further access.
In this situation, the attacker will not be able to directly access any
encrypted file systems.

 * If encrypted virtual file systems are implemented, and the attacker
gains access to an account able to mount one, then an attacker may be able
to mount his or her own maliciously formed file system via the encryption
interface. This would allow them access to any already mounted file
systems.

 * Being root already. If the attacker has already gained root, but the
kernel has some form of patch preventing root being able to perform
certain functions, he or she may still be able to mount a file system. As
the vulnerability occurs in kernel space, it may be possible for them to
neutralize the restrictions.

Workaround:
Disable user mounting of removable media devices.

Vendor Status:
Slackware:
"Slackware will be waiting for a new upstream kernel version that will
address this issue. None of our existing releases allow a non-root user
to mount a CD-ROM, and the exploit requires physical access to the
machine"

SuSE:
"SuSE Security have published a SuSE Security Announcement at
<http://www.suse.de/security/> http://www.suse.de/security/ and update
packages that fix the vulnerability. The update packages are available for
download at ftp://ftp.suse.com/pub/suse/i386/update//rpm/i586/, but we
encourage our users to make use of the YOU (Yast Online Update) utility
for quick and secure installation of security updates."

Debian:
 <http://www.security.debian.org/2004/dsa-479>
http://www.security.debian.org/2004/dsa-479 alpha+ia32+powerpc
 <http://www.security.debian.org/2004/dsa-480>
http://www.security.debian.org/2004/dsa-480 hppa
 <http://www.security.debian.org/2004/dsa-481>
http://www.security.debian.org/2004/dsa-481 ia64
 <http://www.security.debian.org/2004/dsa-482>
http://www.security.debian.org/2004/dsa-482 powerpc/apus
 <http://www.security.debian.org/2004/dsa-483>
http://www.security.debian.org/2004/dsa-483 mips+mipsel

Mandrake Linux:
MDKSA-2004:029
<www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029>
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029

Disclosure Timeline:
January 9, 2004 Exploit acquired by iDEFENSE
February 20, 2004 Initial vendor notification
February 20, 2004 iDEFENSE clients notified
April 14, 2004 Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:customerservice@idefense.com> iDEFENSE.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] ADA Image Server (ImgSvr) Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]