The Linux kernel performs no length checking on symbolic links stored on an ISO9660 file system, allowing a malformed CD to perform an arbitrary length overflow in kernel memory. Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge' extension to the standard format. The vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO file system, or attempting to access a file via a malformed symlink on such a file system. Many distributions allow local users to mount CDs, which makes them potentially vulnerable to local elevation attacks. The relevant functions are as follows: fs/isofs/rock.c: rock_ridge_symlink_readpage() fs/isofs/rock.c: get_symlink_chunk() There is no checking that the total length of the symlink being read is less than the memory space that has been allocated for storing it. By supplying many CE (continuation) records, each with another SL (symlink) chunk, it is possible for an attacker to build an arbitrary length data structure in kernel memory space. A proof of concept exploit has been written that allows a local user to gain root level access. It is also possible to cause execution of code with kernel privileges. III. ANALYSIS In order to exploit this vulnerability, an attacker must be able to mount a maliciously constructed file system. This may be accomplished by the following: a. Having an account on the machine to be compromised and inserting a malformed disk. Some distributions allow local users to mount removable media without needing to be root and with some configurations. This happens automatically when a disk is inserted. The proof of concept exploit works from floppy disk as well as CD-ROM. If the attacker can reboot the machine from his or her own media or supply command line options to the kernel during the initialization process after rebooting, exploiting this vulnerability may not be necessary to gain further access. In this situation, the attacker will not be able to directly access any encrypted file systems. b. If encrypted virtual file systems are implemented, and the attacker gains access to an account able to mount one, then an attacker may be able to mount his or her own maliciously formed file system via the encryption interface. This would allow them access to any already mounted file systems. c. Being root already. If the attacker has already gained root, but the kernel has some form of patch preventing root being able to perform certain functions, he or she may still be able to mount a file system. As the vulnerability occurs in kernel space, it may be possible for them to neutralize the restrictions. IV. DETECTION The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel implementations may also be vulnerable. V. WORKAROUNDS Disable user mounting of removable media devices. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Thanks; fixed kernels will be added here as they are done.
Vanilla-sources-2.4.26 is in...
SELinux-sources-2.4.25 is in...
As long as no bug reports show up for grsec at grsec site and spender moves his patches out of http://grsecurity.net/~spender/ and to the main site. I'll be putting it in as 2.4.26 (2.x final) and removing all older versions. This should conclude the grsec-2.4.x series all together. Well atleast till the next sec bug is discovered.
Win4Lin-Sources 2.4.25-r1 and 2.6.5-r1 which are patched are now in...
AA-Sources-2.4.23-r2 patched...
Alpha-sources 2.4.21-r5 added and now in...
Ck-sources 2.4.25-r1 and 2.6.4-r1 are patched.
Compaq-sources-2.4.9.32.7-r3 added...
Development sources 2.6.6_rc1 added.
IA64-Sources 2.4.24-r2 added.
Planet-CCRMA-sources-2.4.21-r6 added in...
PAC-Sources-2.4.23-r4 added in...
PPC-Sources 2.4.24-r3 added in...
Added in PPC-Sources-Benh-2.4.22-r6... Added in PPC-Sources-Crypto-2.4.20-r4... Added in PPC-Sources-Dev-2.4.24-r3... Added in PPC64-Sources-2.6.4-r1... Joker's added in SPARC-Sources 2.4.25-r1...
Added VServer-sources-2.4.25.1.3.8-r1...
WOLK-Sources 4.11-r2 and 4.9-r5 added...
GS-sources-2.4.25_pre7-r3 added... Tseng added Hardened-Dev-Sources 2.6.4-r4... UCLinux-Sources 2.4.24_p0-r1 and 2.6.5_p0-r1 added... Usermode-Sources 2.6.3-r2 and 2.4.24-r2 added... XFS-Sources 2.4.24-r4 added...
mips-sources and ck-sources had the wrong patch for 2.6 added (it was the mremap patch). ck-sources is apparently fixed, I just fixed mips-sources.
*** Bug 48050 has been marked as a duplicate of this bug. ***
FYI .. Patch causes problems for CD players both gnome and Kde based.. app will crash .. gnome CD player at least craches without killing the playing of the CD
For the sake of completeness, here is a vuln list for the kernel : * CAN-2004-0109 : Privilege escalation using ISO9660 file systems * CAN-2004-0133 : Information leak in the XFS code * CAN-2004-0177 : Information leak in the ext3 code * CAN-2004-0181 : Information leak in the JFS code * CAN-2004-0178 : Denial of service condition in the Sound Blaster driver * CAN-2004-0228 : Information leak in cpufreq userspace ioctl * CAN-2004-0229 : Vulnerability in fb_copy_cmap (framebuffer driver) [2.6] * CAN-2004-0394 : Buffer overflow in 2.4 kernel's panic() function [2.4] * CAN-2004-0424 : Integer overflow in code handling the MCAST_MSFILTER option There is also a "Memory leak in the do_fork() routine" which seems to have no CVE number. Given the broad range of vulns here, it may be a good idea to issue a partial GLSA with only available 2.4.26 / 2.6.4 versions (which I believe include all fixes), and take care of the patch backporting & testing next ? -K
what kernels *can* be patched? gentoo-dev-sources 2.6.4 and vanilla sources 2.4.26, presumably. What else? grsec-sources 2.4.26? gs-sources?
Anything can be patched, except the MCAST_MSFILTER, since I haven't had anybody who I know that uses it; thus I can't test the patch. If you find somebody that can be done as well.
If we can't test, then I think we should leave the MCAST_FILTER patch out and issue a GLSA for the others. We really need a GLSA out for the kernel asap. -K
*** Bug 48466 has been marked as a duplicate of this bug. ***
The remaining sources that are vulnerable are listed below; I've fixed everything else. Sources marked with "*" only need the CAN-2004-0394 patch applied; this can be found in aa-sources/files. Sources without an asterisk need patching for more things; please see comment #23. gentoo-dev-sources - johnm is absent; this needs bumping to 2.6.6 or patching. hardened-dev-sources - This also needs bumping to 2.6.6 or patching. openmosix-sources - Adding cluster@gentoo.org to CC. hardened-sources * - Adding hardened@gentoo.org to CC. hppa-sources * - Assigned to GMSoft; says it should be done in a day or two... pegasos-sources * - Adding dholm@gentoo.org to CC. selinux-sources * - Adding pebenito@gentoo.org to CC.
Alpha Team: You need to stable alpha-sources-2.4.21-r7 which solves the security issues mentioned in this bug. IA64 Team: You need to stable alpha-sources-2.4.24-r4 which solves the security issues mentioned in this bug. Thanks!
pegasos-sources-2.4.26 fixed
Marked alpha-sources-2.4.21-r7 stable.
hppa-sources-2.4.26_p4 include the fix
Cluster's fixed theirs; removing from CC.
selinux-sources fixed
hardened-dev-sources patchset updated to include relevant fixes.
GLSA 200407-02; http://article.gmane.org/gmane.linux.gentoo.announce/382; closing as FIXED.
