Buffer Overflow in ISO9660 File System Component of Linux Kernel iDEFENSE Security Advisory 04.14.04: I. BACKGROUND Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance of developers around the world. The 'isofs' component of the Linux kernel mediates file system interactions with ISO-9660 format CD-ROMs. II. DESCRIPTION The Linux kernel performs no length checking on symbolic links stored on an ISO9660 file system, allowing a malformed CD to perform an arbitrary length overflow in kernel memory. Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge' extension to the standard format. The vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO file system, or attempting to access a file via a malformed symlink on such a file system. Many distributions allow local users to mount CDs, which makes them potentially vulnerable to local elevation attacks. The relevant functions are as follows: fs/isofs/rock.c: rock_ridge_symlink_readpage() fs/isofs/rock.c: get_symlink_chunk() There is no checking that the total length of the symlink being read is less than the memory space that has been allocated for storing it. By supplying many CE (continuation) records, each with another SL (symlink) chunk, it is possible for an attacker to build an arbitrary length data structure in kernel memory space. A proof of concept exploit has been written that allows a local user to gain root level access. It is also possible to cause execution of code with kernel privileges. III. ANALYSIS In order to exploit this vulnerability, an attacker must be able to mount a maliciously constructed file system. This may be accomplished by the following: a. Having an account on the machine to be compromised and inserting a malformed disk. Some distributions allow local users to mount removable media without needing to be root and with some configurations. This happens automatically when a disk is inserted. The proof of concept exploit works from floppy disk as well as CD-ROM. If the attacker can reboot the machine from his or her own media or supply command line options to the kernel during the initialization process after rebooting, exploiting this vulnerability may not be necessary to gain further access. In this situation, the attacker will not be able to directly access any encrypted file systems. b. If encrypted virtual file systems are implemented, and the attacker gains access to an account able to mount one, then an attacker may be able to mount his or her own maliciously formed file system via the encryption interface. This would allow them access to any already mounted file systems. c. Being root already. If the attacker has already gained root, but the kernel has some form of patch preventing root being able to perform certain functions, he or she may still be able to mount a file system. As the vulnerability occurs in kernel space, it may be possible for them to neutralize the restrictions. IV. DETECTION The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel implementations may also be vulnerable. V. WORKAROUNDS Disable user mounting of removable media devices. VI. VENDOR RESPONSE Affected vendors have provided the following comments/patches: Slackware "Slackware will be waiting for a new upstream kernel version that will address this issue.  None of our existing releases allow a non-root user to mount a CD-ROM, and the exploit requires physical access to the machine" SUSE "SUSE Security have published a SUSE Security Announcement at http://www.suse.de/security/ and update packages that fix the vulnerability. The update packages are available for download at ftp://ftp.suse.com/pub/suse/i386/update//rpm/i586/, but we encourage our users to make use of the YOU (Yast Online Update) utility for quick and secure installation of security updates." Debian http://www.security.debian.org/2004/dsa-479 alpha+ia32+powerpc http://www.security.debian.org/2004/dsa-480 hppa http://www.security.debian.org/2004/dsa-481 ia64 http://www.security.debian.org/2004/dsa-482 powerpc/apus http://www.security.debian.org/2004/dsa-483 mips+mipsel Mandrake Linux MDKSA-2004:029 www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0109 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE January 9, 2004 Exploit acquired by iDEFENSE February 20, 2004 Initial vendor notification February 20, 2004 iDEFENSE clients notified April 14, 2004 Coordinated public disclosure IX. CREDIT Greg MacManus (iDEFENSE Labs) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.