Attack of the killer CD [LWN.net]

This story starts to get a little tiresome: a security researcher has found yet another set of vulnerabilities in the Linux kernel. The researcher this time is Michal Zalewski, who, in the past, has had great luck finding problems by feeding random data to code. It didn't take him too long to find a few ways to crash the kernel with corrupted CD images.

The impact of this bug is that anybody who can cause a CD to be mounted can crash the system, and, potentially, obtain root access. Mounting a disk is normally a privileged operation, but many systems are set up to automatically mount a CD (and, perhaps, fire off a file manager window) on insertion. Others are set up to allow unprivileged users to mount a CD on demand. So corrupt CDs are, indeed, a mechanism which could be used to compromise a system.

Of course, it is true that anybody who gets into a position where they can insert a CD into the system may well find a way to compromise it anyway. It is hard to defend against an attacker with physical access. Even so, there is no point in making any sort of attack easier.

The bugs in this case are ancient; much of the ISO9660 code dates back to the early 1990's, and it hasn't seen a great deal of maintenance since. In some places, values obtained from the filesystem are not properly checked, leading to inappropriate memory accesses. In one other, the check was in place, but the code responds to a corrupt disk by calling panic(), thus creating a nice denial of service situation. There's guaranteed to be other problems which have not yet been found; as Linus put it, "The code is a mess."

Other filesystems may have similar problems. An on-disk filesystem is a complicated data structure, and it can be very hard to defend against any sort of corruption. Users are plugging in filesystems more frequently; many consumer gadgets, such as cameras and music players, just look like another disk to the computer. So the opportunities for filesystem-based attacks are growing. Expect more patches as more ten-year-old bugs are found and fixed.

(Log in to post comments)

Attack of the killer CD

Posted Mar 25, 2005 0:36 UTC (Fri) by dvdeug (subscriber, #10998) [Link]

The attacker doesn't need access to the computer; he just needs to convince the (super)user to mount his CD. I suspect if you can gain root access, you can run a trojan as root from that CD.

Mounting a CD image, at least, should be something that a user can do. It's the easiest way to handle them.

User space mount?

Posted Mar 25, 2005 10:11 UTC (Fri) by bockman (guest, #3650) [Link]

""" Mounting a CD image, at least, should be something that a user can do. """

Maybe there should be two kind of "mount" for removable devices : the standard one, allowed only to root, and a sort of "user space mount", which is allowed to users because it is somehow isolated from kernel and therefore its bugs are less likely to compromise the system.

Easy to say, hard to do, I expect.

User space mount?

Posted Mar 26, 2005 0:28 UTC (Sat) by zlynx (subscriber, #2285) [Link]

Don't a few archive tools have ISO support? I thought FileRoller could do it. I wouldn't be surprised if there was a KDE kioslave for it. Then there are some utilities that come with mkisofs, too.

Attack of the killer CD

Posted Apr 1, 2005 23:10 UTC (Fri) by rabnud (guest, #2839) [Link]

Ultimately, the issue is based on there being a user who expects to be able to simply add a filesystem anytime they want to add one (cameras, thumb drives, etc).

This all sounds more like an administrative issue (e.g., configuration should not allow mounting filesystems with root privileges), and if Linux has absolutely no mechanism for mounting such devices with user privileges, I'd be surprised.