Date: Thu, 17 Mar 2005 22:36:45 +0100 (CET)
From: Michal Zalewski <lcamtuf@dione.ids.pl.>
To: [email protected], [email protected]Subject: Linux ISO9660 handling flaws
Message-ID: <Pine.LNX.4.58.0503170014500.29657@dione.>
X-Nmymbofr: Nir Orb Buk
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1975728899-949965211-1111085528=:29657"
Content-ID: <Pine.LNX.4.58.0503171952130.29657@dione.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [email protected] for more info.
--1975728899-949965211-1111085528=:29657
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.58.0503171952131.29657@dione.>
Good morning,
There appears to be a fair number of kernel-level range checking flaws in
ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux
up to and including 2.6.11. These bugs range from DoS conditions to
potentially exploitable memory corruption - all this whenever a specially
crafted filesystem is mounted or directories are examined.
Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show
up by tomorrow or so), although, as per Linus words, "that code is
horrid", and it may take some time to work out all the issues.
The impact is not dramatic, but there are two obvious ways such flaws can
be used to benefit remote attackers:
1) Bugs in removable media filesystems may be used to automatically
compromise any system whose owner decided to examine a newly acquired
CD-ROM, even if extreme caution is observed (that is, autorun is
disabled, and no files are executed).
2) For all types of filesystems, such problems can be additionally used
to subvert forensic analysis efforts. Disk images from compromised
machine may infect forensic examiner's system and alter results,
or simply render the machine unusable.
Attached is a trivial fuzz script that can be used to test fs drivers
against most obvious fault conditions. With little effort, it can be
further altered to test filesystems other than ISO9660, and OSes other
than Linux.
Regards,
Michal Zalewski
Obligatory plug: http://lcamtuf.coredump.cx/silence/
--1975728899-949965211-1111085528=:29657
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=cdmangle
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.58.0503171952080.29657@dione.>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME=cdmangle
IyEvYmluL2Jhc2gNCg0KY2QgL3RtcCB8fCBleGl0IDENCg0KZWNobyAnWypd
IENvbXBpbGluZyBtYW5nbGVyLi4uJw0KDQpjYXQgPm1hbmdsZS5jIDw8X0VP
Rl8NCmNoYXIgYnVmWzEwMjQwXTsNCm1haW4oKSB7DQogIGludCBpLHg7DQog
IHNyYW5kKHRpbWUoMCkgXiBnZXRwaWQoKSk7DQogIHdoaWxlICggKGkgPSBy
ZWFkKDAsYnVmLHNpemVvZihidWYpKSkgPiAwKSB7DQogICAgeCA9IHJhbmQo
KSAlIChpLzIwKTsNCiAgICB3aGlsZSAoeC0tKSBidWZbcmFuZCgpICUgaV0g
PSByYW5kKCk7DQogICAgd3JpdGUoMSxidWYsaSk7DQogIH0NCn0NCl9FT0Zf
DQoNCmdjYyAtTzMgbWFuZ2xlLmMgLW8gbWFuZ2xlIHx8IGV4aXQgMQ0Kcm0g
LWYgbWFuZ2xlLmMNCg0KZWNobyAnWypdIFByZXBhcmluZyBJU08gbWFzdGVy
IChmZWVsIGZyZWUgdG8gYWx0ZXIgdGhpcyBjb2RlKS4uLicNCg0KbWtkaXIg
Y2RfZGlyIHx8IGV4aXQgMQ0KY2QgY2RfZGlyDQoNCkNOVD0wDQp3aGlsZSBb
ICIkQ05UIiAtbHQgIjIwMCIgXTsgZG8NCiAgbWtkaXIgQTsgY2QgQQ0KICBD
TlQ9JFtDTlQrMV0NCmRvbmUNCg0KY2QgL3RtcC9jZF9kaXINCg0KQT1gcGVy
bCAtZSAne3ByaW50ICJBIngyNTV9JyAyPi9kZXYvbnVsbGANCkNOVD0wDQp3
aGlsZSBbICIkQ05UIiAtbHQgIjMiIF07IGRvDQogIG1rZGlyICIkQSI7IGNk
ICIkQSINCiAgQ05UPSRbQ05UKzFdDQpkb25lDQoNCmNkIC90bXANCg0KZWNo
byAnWypdIENyZWF0aW5nIGltYWdlIChhbHRlciBmaWxlc3lzdGVtIG9yIHBh
cmFtZXRlcnMgYXMgbmVlZGVkKS4uLicNCg0KbWtpc29mcyAtVSAtUiAtSiAt
byBjZC5pc28gY2RfZGlyIDI+L2Rldi9udWxsIHx8IGV4aXQgMQ0Kcm0gLXJm
IGNkX2Rpcg0KDQplY2hvICdbKl0gU1RSRVNTIFRFU1QgUEhBU0UuLi4nDQoN
CndoaWxlIDo7IGRvIA0KICBESVI9Ii90bXAvY2R0ZXN0LSQkLSRSQU5ET00i
DQogIG1rZGlyICIkRElSIg0KICBkbWVzZyAtYyAyPi9kZXYvbnVsbA0KICBj
YXQgY2QuaXNvIHwgLi9tYW5nbGUgPmNkX21vZC5pc28NCiAgbW91bnQgLXQg
aXNvOTY2MCAtbyBsb29wLHJvIC90bXAvY2RfbW9kLmlzbyAiJERJUiIgMj4v
ZGV2L251bGwNCiAgIyBscyAtbEFSICIkRElSIiAtIFVuY29tbWVudCBpZiB5
b3UgbGlrZSB3aGVuIGl0IEhVUlRTLi4uDQogIHVtb3VudCAiJERJUiIgMj4v
ZGV2L251bGwNCiAgcm0gLXJmICIkRElSIiAyPi9kZXYvbnVsbA0KICBGQVVM
VD1gZG1lc2cgfCBncmVwIC1FaSAnb29wc3x1bmFibGUgdG8gaGFuZGxlJ2AN
CiAgdGVzdCAiJEZBVUxUIiA9ICIiIHx8IGJyZWFrDQpkb25lDQoNCmRtZXNn
IHwgdGFpbCAtMzANCg0KZWNobyAnWytdIFNvbWV0aGluZyBmb3VuZCAoL3Rt
cC9jZC1tb2QuaXNvKS4uLicNCg0Kcm0gLWYgY2QuaXNvIG1hbmdsZQ0KZXhp
dCAwDQo=
--1975728899-949965211-1111085528=:29657--