User: Password:
Subscribe / Log in / New account


Attack of the killer CD

This story starts to get a little tiresome: a security researcher has found yet another set of vulnerabilities in the Linux kernel. The researcher this time is Michal Zalewski, who, in the past, has had great luck finding problems by feeding random data to code. It didn't take him too long to find a few ways to crash the kernel with corrupted CD images.

The impact of this bug is that anybody who can cause a CD to be mounted can crash the system, and, potentially, obtain root access. Mounting a disk is normally a privileged operation, but many systems are set up to automatically mount a CD (and, perhaps, fire off a file manager window) on insertion. Others are set up to allow unprivileged users to mount a CD on demand. So corrupt CDs are, indeed, a mechanism which could be used to compromise a system.

Of course, it is true that anybody who gets into a position where they can insert a CD into the system may well find a way to compromise it anyway. It is hard to defend against an attacker with physical access. Even so, there is no point in making any sort of attack easier.

The bugs in this case are ancient; much of the ISO9660 code dates back to the early 1990's, and it hasn't seen a great deal of maintenance since. In some places, values obtained from the filesystem are not properly checked, leading to inappropriate memory accesses. In one other, the check was in place, but the code responds to a corrupt disk by calling panic(), thus creating a nice denial of service situation. There's guaranteed to be other problems which have not yet been found; as Linus put it, "The code is a mess."

Other filesystems may have similar problems. An on-disk filesystem is a complicated data structure, and it can be very hard to defend against any sort of corruption. Users are plugging in filesystems more frequently; many consumer gadgets, such as cameras and music players, just look like another disk to the computer. So the opportunities for filesystem-based attacks are growing. Expect more patches as more ten-year-old bugs are found and fixed.

Comments (6 posted)

New vulnerabilities

dyndnsupdate: multiple vulnerabilities

Package(s):dyndnsupdate CVE #(s):
Created:March 21, 2005 Updated:March 22, 2005
Description: Toby Dickenson discovered that Xzabite's dyndnsupdate suffers from multiple overflows. A remote attacker, posing as a server, could execute arbitrary code with the rights of the user running dyndnsupdate.
Gentoo 200503-27 dyndnsupdate 2005-03-21

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Ubuntu USN-166-1 evolution 2005-08-11
Red Hat RHSA-2005:397-01 evolution 2005-05-04
Conectiva CLA-2005:950 evolution 2005-04-27
Fedora FEDORA-2005-338 evolution 2005-04-22
Mandrake MDKSA-2005:059 evolution 2005-03-16

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-0399 CAN-2005-0401 CAN-2005-0402
Created:March 23, 2005 Updated:March 25, 2005
Description: The firefox browser (prior to version 1.0.2) contains three vulnerabilities: a GIF processing buffer overflow, a (difficult) way to trick users into running hostile XUL content, and a way to get a user to run an arbitrary program by way of the sidebar panel.
Gentoo 200503-31 mozilla-firefox 2005-03-25
Red Hat RHSA-2005:336-01 firefox 2005-03-23
Fedora FEDORA-2005-246 firefox 2005-03-23

Comments (none posted)

kdelibs: dcopserver vulnerability

Package(s):kdelibs CVE #(s):CAN-2005-0396 CAN-2005-0237 CAN-2005-0365
Created:March 17, 2005 Updated:May 17, 2005
Description: The KDE Desktop Communication Protocol daemon (dcopserver) is vulnerable to lockup by a local user, leading to a denial of service.
Conectiva CLA-2005:953 kde 2005-05-17
SuSE SUSE-SA:2005:022 kdelibs3 2005-04-11
Red Hat RHSA-2005:307-01 kdelibs 2005-04-06
Fedora FEDORA-2005-245 kdelibs 2005-03-23
Fedora FEDORA-2005-244 kdelibs 2005-03-23
Red Hat RHSA-2005:325-01 kdelibs 2005-03-23
Gentoo 200503-22 kde 2005-03-19
Mandrake MDKSA-2005:058 kdelibs 2005-03-16

Comments (none posted)

LTris: buffer overflow

Package(s):ltris CVE #(s):
Created:March 21, 2005 Updated:March 22, 2005
Description: LTris is vulnerable to a buffer overflow when reading the global highscores file. By modifying the global highscores file a malicious user could trick another user to execute arbitrary code.
Gentoo 200503-24 ltris 2005-03-20

Comments (none posted)

rxvt-unicode: buffer overflow

Package(s):rxvt-unicode CVE #(s):CAN-2005-0764
Created:March 21, 2005 Updated:March 22, 2005
Description: Rob Holland of the Gentoo Linux Security Audit Team discovered that rxvt-unicode fails to properly check input length. Successful exploitation would allow an attacker to execute arbitrary code with the permissions of the user running rxvt-unicode.
Gentoo 200503-23 rxvt-unicode 2005-03-20

Comments (none posted)

xloadimage: missing input sanitizing, integer overflow

Package(s):xloadimage CVE #(s):CAN-2005-0638 CAN-2005-0639
Created:March 21, 2005 Updated:May 4, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. CAN-2005-0638

Insufficient validation of image properties in have been discovered which could potentially result in buffer management errors. CAN-2005-0639

Mandriva MDKSA-2005:076 xli 2005-04-20
Red Hat RHSA-2005:332-01 xloadimage 2005-04-19
Debian DSA-695-1 xli 2005-03-21
Debian DSA-694-1 xloadimage 2005-03-21
Fedora FEDORA-2005-237 xloadimage 2005-03-18
Fedora FEDORA-2005-236 xloadimage 2005-03-18

Comments (none posted)


Security Innovation's Microsoft/Linux web server security study

Security Innovation has announced the availability of its (Microsoft-funded) web server security survey which found Windows to be a more secure platform. The document itself is available in PDF format. "For example, CAN-2004-0957 discusses a bug in MySQL's mysql_real_connect() function. This was entered into the MySQL bug database on 4th June 2004, and fixed in the source tree 17th June 2004. However, Red Hat only packaged this fix in RHSA-2004:611, issued on the 27th of November. This problem of the management of fixes from a third-party is a difficult one, and one which could represent a significant challenge to Linux on a go-forward basis."

Comments (29 posted)


RUXCON 2005 Call for Papers

RUXCON ("an attempt to bring together the individual talents of the security community through live presentations, activities and demonstrations") will be held October 1 and 2 in Sydney, Australia. Submissions are due by August 31.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds