PDA

View Full Version : [sicurezza, kernel] Falla nella gestione del file system iso9660 (<=2.6.11)


RaouL_BennetH
22-03-2005, 00:18
In un altro forum , ho trovato questo link in cui si spiega che inserendo un cd con codice malevolo a bordo, non c'è bisogno ne di montarlo ne di essere root per rovinare il sistema. Purtroppo l'articolo è in tedesco:

http://www.heise.de/newsticker/meldung/57753

LukeHack
22-03-2005, 00:43
pare che il cd cmq debba essere montato...
leggiamo qui:

There appears to be a fair number of kernel-level range checking flaws in
ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux
up to and including 2.6.11. These bugs range from DoS conditions to
potentially exploitable memory corruption - all this whenever a specially
crafted filesystem is mounted or directories are examined.

Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show
up by tomorrow or so), although, as per Linus words, "that code is
horrid", and it may take some time to work out all the issues.

The impact is not dramatic, but there are two obvious ways such flaws can
be used to benefit remote attackers:

1) Bugs in removable media filesystems may be used to automatically
compromise any system whose owner decided to examine a newly acquired
CD-ROM, even if extreme caution is observed (that is, autorun is
disabled, and no files are executed).

2) For all types of filesystems, such problems can be additionally used
to subvert forensic analysis efforts. Disk images from compromised
machine may infect forensic examiner's system and alter results,
or simply render the machine unusable.

Attached is a trivial fuzz script that can be used to test fs drivers
against most obvious fault conditions. With little effort, it can be
further altered to test filesystems other than ISO9660, and OSes other
than Linux.

Regards,
Michal Zalewski

Obligatory plug: http://lcamtuf.coredump.cx/silence/

#!/bin/bash

cd /tmp || exit 1

echo ' Compiling mangler...'

cat >mangle.c <<_EOF_
char buf[10240];
main() {
int i,x;
srand(time(0) ^ getpid());
while ( (i = read(0,buf,sizeof(buf))) > 0) {
x = rand() % (i/20);
while (x--) buf[rand() % i] = rand();
write(1,buf,i);
}
}
_EOF_

gcc -O3 mangle.c -o mangle || exit 1
rm -f mangle.c

echo ' Preparing ISO master (feel free to alter this code)...'

mkdir cd_dir || exit 1
cd cd_dir

CNT=0
while [ "$CNT" -lt "200" ]; do
mkdir A; cd A
CNT=$[CNT+1]
done

cd /tmp/cd_dir

A=`perl -e '{print "A"x255}' 2>/dev/null`
CNT=0
while [ "$CNT" -lt "3" ]; do
mkdir "$A"; cd "$A"
CNT=$[CNT+1]
done

cd /tmp

echo ' Creating image (alter filesystem or parameters as needed)...'

mkisofs -U -R -J -o cd.iso cd_dir 2>/dev/null || exit 1
rm -rf cd_dir

echo ' STRESS TEST PHASE...'

while :; do
DIR="/tmp/cdtest-$$-$RANDOM"
mkdir "$DIR"
dmesg -c 2>/dev/null
cat cd.iso | ./mangle >cd_mod.iso
mount -t iso9660 -o loop,ro /tmp/cd_mod.iso "$DIR" 2>/dev/null
# ls -lAR "$DIR" - Uncomment if you like when it HURTS...
umount "$DIR" 2>/dev/null
rm -rf "$DIR" 2>/dev/null
FAULT=`dmesg | grep -Ei 'oops|unable to handle'`
test "$FAULT" = "" || break
done

dmesg | tail -30

echo '[+] Something found (/tmp/cd-mod.iso)...'

rm -f cd.iso mangle
exit 0

ilsensine
22-03-2005, 07:58
Sposto nella sezione news

RaouL_BennetH
22-03-2005, 11:35
Originariamente inviato da ilsensine
Sposto nella sezione news

Scusa ilsensine, ieri sera quando l'ho postato ero convinto di farlo nella sezione delle news, ma ero così:

:coffee:

ilsensine
22-03-2005, 12:08
Alcune fix preliminari sono già presenti in 2.6.12-rc1.