From: idlabs-advisories at idefense.com (idlabs-advisories@...fense.com)
Subject: iDEFENSE Security Advisory 04.14.04: Buffer Overflow in ISO9660
 File System Component of Linux Kernel

Buffer Overflow in ISO9660 File System Component of Linux Kernel

iDEFENSE Security Advisory 04.14.04
www.idefense.com/application/poi/display?id=101&type=vulnerabilities
April 14, 2004

I. BACKGROUND

Linux is a free Unix-type operating system originally created by Linus
Torvalds with the assistance of developers around the world. The 'isofs'
component of the Linux kernel mediates file system interactions with
ISO-9660 format CD-ROMs.

II. DESCRIPTION

The Linux kernel performs no length checking on symbolic links stored on
an ISO9660 file system, allowing a malformed CD to perform an arbitrary
length overflow in kernel memory.

Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the standard format. The vulnerability can be triggered by
performing a directory listing on a maliciously constructed ISO file
system, or attempting to access a file via a malformed symlink on such a
file system. Many distributions allow local users to mount CDs, which
makes them potentially vulnerable to local elevation attacks.

The relevant functions are as follows:

fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()

There is no checking that the total length of the symlink being read is
less than the memory space that has been allocated for storing it. By
supplying many CE (continuation) records, each with another SL (symlink)
chunk, it is possible for an attacker to build an arbitrary length data
structure in kernel memory space.

A proof of concept exploit has been written that allows a local user to
gain root level access. It is also possible to cause execution of code
with kernel privileges.

III. ANALYSIS

In order to exploit this vulnerability, an attacker must be able to
mount a maliciously constructed file system. This may be accomplished by
the following:

a. Having an account on the machine to be compromised and inserting a
malformed disk. Some distributions allow local users to mount removable
media without needing to be root and with some configurations. This
happens automatically when a disk is inserted. The proof of concept
exploit works from floppy disk as well as CD-ROM.

If the attacker can reboot the machine from his or her own media or
supply command line options to the kernel during the initialization
process after rebooting, exploiting this vulnerability may not be
necessary to gain further access. In this situation, the attacker will
not be able to directly access any encrypted file systems.

b. If encrypted virtual file systems are implemented, and the attacker
gains access to an account able to mount one, then an attacker may be
able to mount his or her own maliciously formed file system via the
encryption interface. This would allow them access to any already
mounted file systems.

c. Being root already. If the attacker has already gained root, but the
kernel has some form of patch preventing root being able to perform
certain functions, he or she may still be able to mount a file system.
As the vulnerability occurs in kernel space, it may be possible for them
to neutralize the restrictions.

IV. DETECTION

The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel
implementations may also be vulnerable.

V. WORKAROUNDS

Disable user mounting of removable media devices.

VI. VENDOR RESPONSE

Affected vendors have provided the following comments/patches:

Slackware

"Slackware will be waiting for a new upstream kernel version that will
address this issue.  None of our existing releases allow a non-root user
to mount a CD-ROM, and the exploit requires physical access to the
machine"

SUSE

"SUSE Security have published a SUSE Security Announcement at
http://www.suse.de/security/ and update packages that fix the
vulnerability. The update packages are available for download at
ftp://ftp.suse.com/pub/suse/i386/update/<release>/rpm/i586/, but we
encourage our users to make use of the YOU (Yast Online Update) utility
for quick and secure installation of security updates."

Debian

http://www.security.debian.org/2004/dsa-479   alpha+ia32+powerpc
http://www.security.debian.org/2004/dsa-480   hppa
http://www.security.debian.org/2004/dsa-481   ia64
http://www.security.debian.org/2004/dsa-482   powerpc/apus
http://www.security.debian.org/2004/dsa-483   mips+mipsel

Mandrake Linux

MDKSA-2004:029
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0109 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

January 9, 2004      Exploit acquired by iDEFENSE
February 20, 2004    Initial vendor notification
February 20, 2004    iDEFENSE clients notified
April 14, 2004       Coordinated public disclosure

IX. CREDIT

Greg MacManus (iDEFENSE Labs) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@...fense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Powered by blists - more mailing lists