MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

Similar documents
MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010

MWR InfoSecurity Security Advisory. Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow. 23 rd June 2010

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016

SA30228 / CVE

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

Microsoft Office Protected-View Out-Of- Bound Array Access

Buffer overflow background

MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab

Microsoft Office Protected-View Out-Of- Bound Array Access

CVE :

Virtualised USB Fuzzing using QEMU and Scapy

Buffer Overflows Defending against arbitrary code insertion and execution

Exploit Mitigation - PIE

Exploiting USB/IP in Linux

Remote Buffer Overflow Exploits

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Malware

Triconex TriStation Emulator Denial of Service

QSEE TrustZone Kernel Integer Overflow Vulnerability

Analysis of MS Multiple Excel Vulnerabilities

CSC 405 Computer Security Stack Canaries & ASLR

CSE 565 Computer Security Fall 2018

CODEBLUE Takahiro Matsuki (FFRI) Dennis Kengo Oka (ETAS)

Understand USB (in Linux)

20: Exploits and Containment

IOActive Security Advisory

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Security Advisory. Network Time Protocol Vulnerabilities

Software Security: Buffer Overflow Attacks

Microsoft Office CTaskSymbol Use- After-Free Vulnerability

Secureworks Security Advisory Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers

Brocade FOS Release v6.2.2f9 Internal Content Notes

Keeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services

Synology Security Whitepaper

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Software Security: Buffer Overflow Defenses

Offensive Security My First Buffer Overflow: Tutorial

RINGDALE USB (UNIVERSAL SERIAL BUS) HID RELAY CONTROLLER (1543)

Lecture 08 Control-flow Hijacking Defenses

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

Emulating USB Device Firmware Update

CMPSC 497 Buffer Overflow Vulnerabilities

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Software Security: Buffer Overflow Attacks (continued)

ECE 471 Embedded Systems Lecture 22

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

A Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer-Overflow Attacks on the Stack

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Fundamentals of Computer Security

Future Technology Devices International Ltd. Application Note AN_168. Vinculum-II USB Slave. Customizing an FT232 Device

MediaTek Log Filtering Driver Information Disclosure

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

Operating System Security

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Memory Safety (cont d) Software Security

UC20 WinCE USB Driver

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Buffer-Overflow Attacks on the Stack

CS 161 Computer Security

Is stack overflow still a problem?

Qemu code fault automatic discovery with symbolic search. Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel

Ruckus Wireless Security Advisory ID FAQ

CrashOS: Hypervisor testing tool

ISA564 SECURITY LAB. Code Injection Attacks

Shellbased Wargaming

KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. WANG, YONG a.k.a. Pandora Lab of Ali Security

Sense of Security Security Advisory SOS Cisco TelePresence Multiple Vulnerabilities. 19 September 2011.

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Return-Oriented Rootkits

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Lecture 4 September Required reading materials for this class

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Program Security and Vulnerabilities Class 2

Transcription:

Contents MWR InfoSecurity Security Advisory Linux USB Device Driver - Buffer Overflow 29 th October 2009 2009-10-29 Page 1 of 8

Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Technical Background... 4 1.2 Vulnerability Details... 4 1.3 Dependencies... 5 2 Proof of Concept... 6 2.1 Environment... 6 2.2 Malicious Qemu USB Device... 6 2.3 Device Emulation... 7 3 Recommendations... 7 4 References... 7 5 Acknowledgement... 7 2009-10-29 Page 2 of 8

Linux USB Device Driver - Buffer Overflow Linux USB Device Driver - Buffer Overflow Package Name: Auerswald Linux USB Device Driver Date Discovered: October 2008 Affected Versions: Confirmed in Linux Kernel 2.6.26 (Driver included by default) CVE Reference Author Severity Local/Remote Vulnerability Class Vendor Vendor Informed Timeline CVE-2009-4067 R. Dominguez Vega High Risk Local with physical access required Buffer Overflow Linux Kernel This issue was discussed with the Linux Kernel Security Team via email (security@kernel.org): - Vendor first contacted - 14/09/2009 Vulnerability details provided - 19/09/2009 Vendor responded - 19/09/2009 Vendor Response The vendor did not supply a fix but instead recommended that users should upgrade to the latest stable Linux kernel version. Overview: The Auerswald Linux USB device driver is used to allow compability of an Auerswald PBX/System telephone with Linux Operating Systems via the USB port. This device driver is vulnerable to a buffer overflow which could be exploited by an attacker with physical access to the system. This vulnerability could be exploited in order to execute arbitrary code on the target system. Impact: The vulnerability would enable an attacker to execute arbitrary code on the target system at the kernel level. This could allow full control to be gained over the system. Cause: A buffer overflow vulnerability has been identified in the code handling the USB string descriptors. This vulnerability is associated with the memory for the element dev_desc of the USB device context structure and could result in the overwriting of other elements of the structure. Solution: Remove the Auerswald USB device driver from your kernel or upgrade to the latest stable Linux kernel version. 2009-10-29 Page 3 of 8

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Technical Background In information technology, Universal Serial Bus (USB) is a serial bus standard to connect devices to a host computer. USB was designed to allow many peripherals to be connected using a single standardized interface socket and to improve plug and play capabilities by allowing hot swapping; that is, by allowing devices to be connected and disconnected without rebooting the computer or turning off the device. [1] 1.2 Vulnerability Details A vulnerability was identified in the code responsible for handling the USB string descriptors, such that an attacker could bypass the validation length check for the element dev_desc of the USB device context structure, used for storing the USB textual description; therefore allowing the overwrite of other elements of the structure. The auerswald_probe function is called when a new device is attached to the bus and is responsible for the handling of the USB string descriptors in which specific parameters (such as the device name, serial number and manufacturer name) from the device are passed to the host computer. The vulnerability results from the following code: [2] /* Try to get a suitable textual description of the device */ /* Device name:*/ ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1); if (ret >= 0) { u += ret; /* Append Serial Number */ memcpy(&cp->dev_desc[u],,ser#, 6); u += 6; ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1); if (ret >= 0) { u += ret; /* Append subscriber number */ memcpy(&cp->dev_desc[u],,, 2); u += 2; ret = usb_string( cp->usbdev, AUSI_MSN, &cp->dev_desc[u], AUSI_DLEN-u-1); if (ret >= 0) { u += ret; } } } It is possible to overflow the buffer assigned to the element dev_desc[ausi_dlen] ; belonging to the USB device context structure. The element dev_desc is of type char and AUSI_DLEN delimits the maximum length of the device descriptor and is set to 100. An attacker could craft a large answer to the request for AUSI_DEVICE (name of device) in order to produce a condition where u was much greater than "AUSI_DLEN - 1" such that "AUSI_DLEN - u - 1" was a large, negative number. As the argument to usb_string () is unsigned this would result in a very large value. Consequently, this would allow an attacker to write a certain amount of arbitrary data to the static sized buffer dev_desc. 2009-10-29 Page 4 of 8

Detailed Vulnerability Description Overflowing this buffer would allow other elements of the structure to be overwritten, such as maxcontrollength, inturbp and intbufp. This could allow an attacker to gain control of the EIP register and so, potentially, to execute arbitrary code under the context of the system kernel. 1.3 Dependencies In order to successfully exploit the vulnerability described in this advisory, an attacker would need to have physical access to the affected system in order to be able to plug in a malicious USB device. Alternatively, an attacker would require sufficient access to a system to emulate a malicious USB device. 2009-10-29 Page 5 of 8

Proof of Concept 2 Proof of Concept Proof of concept details are provided in this document in order to reproduce the kernel bug identified and facilitate its resolution. 2.1 Environment Qemu will be used for the environment set up [3]. Qemu is a generic open source machine emulator and virtualizer, which allows the emulation of USB devices from the Host system to the Guest System. In this set up, the Host system will be the attacker and will be emulating the Auerswald USB device that will be inserted into the target (the Guest system) which is running a Linux based OS with the Auerswald USB driver compiled within it. The diagram below illustrates the environment used to reproduce the identified kernel bug:- 2.2 Malicious Qemu USB Device The malicious USB device used to trigger the vulnerability in the Auerswald USB driver should be programmed before compiling Qemu in the environment. For this proof of concept illustration, one of the USB device emulators provided by Qemu will be used to contain the malicious data that will trigger this bug. In this example, the usb-wacom.c [4] in Qemu will be modified. First of all, the idvendor and idproduct will be modified with the following code, in order for the Auerswald driver to be called when the USB device is emulated. 0x00, /* u8 bdeviceprotocol; [ low/full speeds only ] */ 0x08, /* u8 bmaxpacketsize0; 8 Bytes */ 0xbf, 0x09, /* u16 idvendor; */ 0xc0, 0x00, /* u16 idproduct; */ 0x10, 0x42, /* u16 bcddevice */ Then the data that will cause the buffer overflow and the kernel crash to occur will be added. case 1: /* serial number */ ret = set_usb_string(data, ); break; case 2: ret = set_usb_string(data, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA ); 2009-10-29 Page 6 of 8

Recommendations 2.3 Device Emulation Once the malicious USB device has been programmed, Qemu successfully compiled and the Guest system has been started up; the Auerswald device can be emulated. The Qemu Guest system control console can be accessed by pressing Ctrl+Alt+2, and the device is emulated by entering the following in the console: - usb_add wacom-tablet The USB device will be emulated and the bug triggered causing a segmentation fault and kernel crash. 3 Recommendations Remove the Auerswald USB device driver from your kernel or upgrade to the latest stable and secure Linux kernel version. 4 References [1] Universal Serial Bus http://en.wikipedia.org/wiki/usb [2] Qemu http://www.qemu.org [3] Auerswald PBX/System Telephone USB driver by Wolfgang (auerswald.c) [4] Wacom PenPartner USB tablet emulation by Andrzej Zaborowski (usb-wacom.c) 5 Acknowledgement This research has been conducted in partnership with VulnDev Ltd. 2009-10-29 Page 7 of 8

Linux USB MWR Device InfoSecurity Driver - Buffer Overflow St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2009-10-29 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback