[UNIX] Linux Broadcom 5820 Cryptonet Driver Integer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 06/24/04

  • Next message: SecuriTeam: "[NT] Bypassing ZoneAlarm Pro 'Mobile Code'"
    To: list@securiteam.com
    Date: 24 Jun 2004 19:08:41 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Linux Broadcom 5820 Cryptonet Driver Integer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    There exists an integer verflow in the Linux cryptonet driver. A user
    supplied value is used to size a dynamic buffer, and this buffer is
    subsequently filled with user supplied data.

    Local DoS condition and arbitrary code execution are possible through
    exploitation of the vulnerability. However, the driver is not present is
    most Linux distributions.

    DETAILS

    Vulnerable Systems:
     * RedHat Linux 8, kernel version 2.4.20

    Note: If the driver is installed its sources can be found at:
    /usr/src/linux/drivers/crypto/bcm/

    The ubsec_ioctl() function is used to setup various operating parameters
    for the device driver. One of the commands is used to setup the key being
    used for encryption. This occurs in the following code from
    /drivers/crypto/bcm/dispatch.c, line 196:
    --------------------------------- Begin Code
    ---------------------------------
    case UBSEC_KEY_SETUP_FUNC:
        status = ubsec_keysetup(DeviceInfoList[SelectedDevice].Context, (void
    *)arg);
        break;
    ---------------------------------- End Code
    ----------------------------------

    Which calls this function found in /drivers/crypto/bcm/pkey.c, line 91:
    --------------------------------- Begin Code
    ---------------------------------
    int ubsec_keysetup(ubsec_DeviceContext_t pContext, ubsec_key_io_t
    *pKeyIOInfo)
    {
        ...snip....

    1]
      copy_from_user( &KeyIOInfoForDSA,pKeyIOInfo, sizeof(KeyIOInfoForDSA));

      if((KeyIOInfoForDSA.command == UBSEC_DSA_SIGN) ||
    (KeyIOInfoForDSA.command == UBSEC_DSA_VERIFY)) {
        message_alignment = DSA_MESSAGE_ALIGNMENT;
    2]
        add_dsa_buf_bytes =
    KeyIOInfoForDSA.key.DSAParams.InputFragments->FragmentLength +
    DSA_MESSAGE_ALIGNMENT;
      }
       
       .......

    3]
      pkey_buf = (unsigned char *)
    kmalloc((4096+add_dsa_buf_bytes),GFP_KERNEL|GFP_ATOMIC);
      pCommandContext = (CommandContext_pt)pkey_buf;
      kcmd = (ubsec_KeyCommandInfo_pt) &pCommandContext[1];
      KeyIOInfo = (ubsec_key_io_pt)&kcmd[1];
      KeyLoc = ((unsigned char *)&KeyIOInfo[1]) + message_alignment;
      
    4]
      copy_from_user( KeyIOInfo, pKeyIOInfo, sizeof(*KeyIOInfo));

       ...snip...
    }
    ---------------------------------- End Code
    ----------------------------------

    The last argument passed to ubsec_keysetup() is the device specific user
    supplied argument to ioctl(). It is copied into the KeyIOInfoForDSA
    variable at 1], and then used to size the buffer at 2]. The code is
    accessing a pointer embedded in the structure. The pointer references a
    memory location in user-space and dereferencing it should cause a page
    fault to occur.

    The value is then added to 4096 (see 3]) when used to allocate the buffer.
    Part of this buffer is then used at 4] when the same user structure from
    1] is copied into an address further into the allocated buffer. If a
    properly calculated negative value is used for the add_dsa_buf_bytes
    variable, an integer overflow will occur when allocating the buffer at 3].

    The smallest buffer that can be allocated via kmalloc() is 32 or 64 bytes,
    depending on the platform. Yet, it is still possible to overflow the
    buffer at 4]. If you take into account the size of the structure being
    copied and the fact that copying begins from offset 24 in the buffer
    (greater, depending on platform), into the allocated buffer. Depending on
    the location of the allocated buffer in the cache slab, it may be possible
    to overwrite slab control structures and execute arbitrary code. However
    most likely the overwritten memory segment will belong to some other code
    and the system will become unstable when the other code accesses it's
    rightful memory segment.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:infamous41md@hotpop.com>
    Sean.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Bypassing ZoneAlarm Pro 'Mobile Code'"

    Relevant Pages

    • [UNIX] Sbus PROM Driver Multiple Integer Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sbus PROM is a character device driver allows user programs to access the ... of the overflowed buffer in the slab. ... values will result in integer overflows and small buffers being allocated. ...
      (Securiteam)
    • [UNIX] LibSPF2 DNS TXT Record Parsing Bug
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... LibSPF2 DNS TXT Record Parsing Bug ... rdlen byte buffer. ...
      (Securiteam)
    • [EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software - "NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow on authentication buffer. ... def setebpaddr: ...
      (Securiteam)
    • [NT] Microsoft Windows XP/2003 Macrovision SecDrv.sys Privilege Escalation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows XP/2003 Macrovision SecDrv.sys Privilege Escalation ... SYSTEM privileges via a buggy driver installed by default. ... As you can see the buffer supplied by the user is not properly ...
      (Securiteam)
    • [UNIX] Conquest Client Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Conquest Client Buffer Overflow ... SP_CLIENTSTAT is a type of packet used by the server for sending some ...
      (Securiteam)