User: Password:
|
|
Subscribe / Log in / New account

Linux ISO9660 handling flaws

From:  Michal Zalewski <lcamtuf-AT-dione.ids.pl>
To:  bugtraq-AT-securityfocus.com, vulnwatch-AT-vulnwatch.org
Subject:  Linux ISO9660 handling flaws
Date:  Thu, 17 Mar 2005 22:36:45 +0100 (CET)
Cc:  full-disclosure-AT-netsys.com

Good morning,

There appears to be a fair number of kernel-level range checking flaws in
ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux
up to and including 2.6.11. These bugs range from DoS conditions to
potentially exploitable memory corruption - all this whenever a specially
crafted filesystem is mounted or directories are examined.

Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show
up by tomorrow or so), although, as per Linus words, "that code is
horrid", and it may take some time to work out all the issues.

The impact is not dramatic, but there are two obvious ways such flaws can
be used to benefit remote attackers:

  1) Bugs in removable media filesystems may be used to automatically
     compromise any system whose owner decided to examine a newly acquired
     CD-ROM, even if extreme caution is observed (that is, autorun is
     disabled, and no files are executed).

  2) For all types of filesystems, such problems can be additionally used
     to subvert forensic analysis efforts. Disk images from compromised
     machine may infect forensic examiner's system and alter results,
     or simply render the machine unusable.

Attached is a trivial fuzz script that can be used to test fs drivers
against most obvious fault conditions. With little effort, it can be
further altered to test filesystems other than ISO9660, and OSes other
than Linux.

Regards,
Michal Zalewski

Obligatory plug: http://lcamtuf.coredump.cx/silence/
#!/bin/bash

cd /tmp || exit 1

echo '[*] Compiling mangler...'

cat >mangle.c <<_EOF_
char buf[10240];
main() {
  int i,x;
  srand(time(0) ^ getpid());
  while ( (i = read(0,buf,sizeof(buf))) > 0) {
    x = rand() % (i/20);
    while (x--) buf[rand() % i] = rand();
    write(1,buf,i);
  }
}
_EOF_

gcc -O3 mangle.c -o mangle || exit 1
rm -f mangle.c

echo '[*] Preparing ISO master (feel free to alter this code)...'

mkdir cd_dir || exit 1
cd cd_dir

CNT=0
while [ "$CNT" -lt "200" ]; do
  mkdir A; cd A
  CNT=$[CNT+1]
done

cd /tmp/cd_dir

A=`perl -e '{print "A"x255}' 2>/dev/null`
CNT=0
while [ "$CNT" -lt "3" ]; do
  mkdir "$A"; cd "$A"
  CNT=$[CNT+1]
done

cd /tmp

echo '[*] Creating image (alter filesystem or parameters as needed)...'

mkisofs -U -R -J -o cd.iso cd_dir 2>/dev/null || exit 1
rm -rf cd_dir

echo '[*] STRESS TEST PHASE...'

while :; do 
  DIR="/tmp/cdtest-$$-$RANDOM"
  mkdir "$DIR"
  dmesg -c 2>/dev/null
  cat cd.iso | ./mangle >cd_mod.iso
  mount -t iso9660 -o loop,ro /tmp/cd_mod.iso "$DIR" 2>/dev/null
  # ls -lAR "$DIR" - Uncomment if you like when it HURTS...
  umount "$DIR" 2>/dev/null
  rm -rf "$DIR" 2>/dev/null
  FAULT=`dmesg | grep -Ei 'oops|unable to handle'`
  test "$FAULT" = "" || break
done

dmesg | tail -30

echo '[+] Something found (/tmp/cd-mod.iso)...'

rm -f cd.iso mangle
exit 0


(Log in to post comments)

Linux ISO9660 handling flaws

Posted Mar 19, 2005 14:55 UTC (Sat) by cartman (subscriber, #11404) [Link]

Tested the exploit given and 2.6.12-rc1 looks safe.

Linux ISO9660 handling flaws

Posted Mar 19, 2005 20:42 UTC (Sat) by xorbe (guest, #3165) [Link]

I have a Samsumg Printer driver CD that will freeze a Linux box when inserted.

Linux ISO9660 handling flaws

Posted Mar 19, 2005 22:27 UTC (Sat) by kasperd (guest, #11842) [Link]

Already when inserting? Or only when mounting?

Linux ISO9660 handling flaws

Posted Mar 20, 2005 17:45 UTC (Sun) by xorbe (guest, #3165) [Link]

Well the kernel has supermount, so pop a CD in, mount, hang. I've a screenshot of the error message scrolling up the screen somewhere...

Linux ISO9660 handling flaws

Posted Mar 30, 2005 20:51 UTC (Wed) by kasperd (guest, #11842) [Link]

In that case I'd try disabling supermount and mount the CD manually to get a better understanding of the exact location of the bug.

Linux ISO9660 handling flaws

Posted Mar 20, 2005 3:03 UTC (Sun) by dlang (subscriber, #313) [Link]

surviving in the face of a deliberatly corrupted filesystem sounds like an easy thing to miss. I would be very surprised if we didn't see a bunch of vunerabilities along these lines in many differeny OS's in the next few months as everyone double-checks things

Linux ISO9660 handling flaws

Posted Mar 21, 2005 15:00 UTC (Mon) by eludias (guest, #4058) [Link]

...and too little attention will be payed to this in the future. The only way I see is to implement removable media in user-space (mtools for example) or more transparant with something like FUSE. The only thing we need now is a FUSE-to-linux-filesystems-connector and we're set.


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds