‘BSD FireWire IOCTL Kernel Integer Overflow Information Disclousure’

Summary

Firewire device is enabled by default in the GENERIC kernel. It defines an IOCTL function which can be malicious called passing a negative buffer length value. This value will bypass the length check (because the value is negative) and will be used in a copyout operation.’

Credit:

‘For the original advisory, visit:
The information has been provided as part of MoKB, by:Filipe Balestra and Rodrigo Rubira Branco (BSDaemon).’


Details

Vulnerable Systems:
 * FreeBSD (all versions)
 * NetBSD (all versions)
 * DragonFly (all versions)
 * TrustedBSD* (all versions)

Description:
Firewire device is enabled by default in the GENERIC kernel. It defines an IOCTL function which can be malicious called passing a negative buffer length value. This value will bypass the length check (because the value is negative) and will be used in a copyout operation.

This is a kernel bug and the system can be compromised by local users and important system informations can be discloused (basically, a mem dump 😉 ).

Patch Availability:
There is an unofficial patch released by the folks who released this advisory, at:
http://www.kernelhacking.com/bsdadv1.txt

Technical Details:
Firewire interface can be tunned. It provides an ioctl function receiving many parameters that can be changed.

The following is a code fragment from (FreeBSD – dev/firewire/fwdev.c (fw_ioctl function) || DragonFlyBSD bus/firewire/fwdev.c (fw_ioctl function) || NetBSD – dev/ieee1394/fwdev.c (FW_IOCTL function)) file:

 if (crom_buf->len < len)
  len = crom_buf->len;
 else
  crom_buf->len = len;

 err = copyout(ptr, crom_buf->ptr, len);

We control the crom_buf->len (it’s passed as argument to the ioctl function) so, passing it as a negative value will bypass this if statement (our value is minor than the default one).

So, our value is used in a copyout function. ptr is defined before this copyout as:
  if ( fwdev == NULL ) {
  …
  ptr = malloc(CROMSIZE, M_FW, M_WAITOK);
  …
  } else {
  ptr = (void *)&fwdev->csrrom[0];
  …
 }

This information disclousure leads to an attacker dumping all the system memory.’

Categories: UNIX