what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

freebsd-firewire.txt

freebsd-firewire.txt
Posted Nov 16, 2006
Authored by Rodrigo Rubira Branco | Site kernelhacking.com

The Firewire device enabled by default in the GENERIC kernel for FreeBSD defines an IOCTL function which can be malicious called passing a negative buffer length value. This value will bypass the length check (because the value is negative) and will be used in a copyout operation. This is a kernel bug and the system can be compromised by local users and important system information can be disclosed.

tags | advisory, kernel, local
systems | freebsd
SHA-256 | 82423b755e39255304cd291c2c1e57430c3c394fcfe1bff6e87af69b61b6bb54

freebsd-firewire.txt

Change Mirror Download
FreeBSD all versions FireWire IOCTL kernel integer overflow information disclousure
11/15/2006

Notice
===================
This bug has been specially discovered for the Month of Kernel Bugs and to
the Hackers to Hackers Conference III (http://www.h2hc.org.br/en/).


Summary
===================

Firewire device is enabled by default in the GENERIC kernel. It defines
an IOCTL function which can be malicious called passing a negative buffer
lenght value. This value will bypass the lenght check (because the value
is negative) and will be used in a copyout operation.

Systems Affected
===================

FreeBSD all versions
NetBSD all versions
DragonFly all versions
TrustedBSD* all versions

Impact
===================

This is a kernel bug and the system can be compromised by local users and
important system informations can be discloused (basically, a mem dump ;) )

Explanation
===================

Firewire interface can be tunned. It provides an ioctl function receiving
many parameters that can be changed.

The follow is a code fragment from (FreeBSD - dev/firewire/fwdev.c (fw_ioctl function) || DragonFlyBSD bus/firewire/fwdev.c (fw_ioctl function) || NetBSD - dev/ieee1394/fwdev.c (FW_IOCTL function)) file:

if (crom_buf->len < len)
len = crom_buf->len;
else
crom_buf->len = len;

err = copyout(ptr, crom_buf->ptr, len);

We control the crom_buf->len (it's passed as argument to the ioctl function)
so, passing it as a negative value will bypass this if statement (our value
is minor than the default one).

So, our value is used in a copyout function. ptr is defined before this
copyout as:
if ( fwdev == NULL ) {
...
ptr = malloc(CROMSIZE, M_FW, M_WAITOK);
...
} else {
ptr = (void *)&fwdev->csrrom[0];
...
}

This information disclousure lead an attacker dump all the system memory.

Solution
===================

Attached in this advisory a patch for the FreeBSD 5.5 (it's pretty simple, so, just need to be little changed to the other BSD's)

Timelife
===================

11/15/2006 - Advisory Public Disclousure (sorry for the developers, but we
are just respecting the Month of Kernel Bugs Timelife)

Acknowledgments
===================

Filipe Balestra <filipe@balestra.com.br> and Rodrigo Rubira Branco
(BSDaemon) <rodrigo@kernelhacking.com> for the discovering, analysis
and patch.

Contact Information
===================

You can reach the authors of this advisory by mail or visiting some
websites:
http://www.balestra.com.br -> Personal Website of Filipe
http://www.risesecurity.org -> RISE Security Research (Rodrigo is member of the RISE Security Team)
http://www.kernelhacking.com/rodrigo -> Personal Website of Rodrigo

References
===================

http://www.kernelhacking.com/bsdadv1.txt -> Actual version of the advisory
http://www.risesecurity.org/RISE-2006002.txt -> Related issue

Disclaimer (taken from teso-team)
===================

This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied exploit is not to be used for malicious
purposes, but for educational purposes only.

This advisory is free for open distribution in unmodified form.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close