首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eCryptfs write_tag_3_packet Heap Buffer Overflow Vulnerability
来源:geinblues *nospam* gmail dot com 作者:x90c 发布时间:2013-11-06  
+--------------------------------------------------------------------------------------------+
| XADV-2013003 Linux Kernel eCryptfs write_tag_3_packet Heap Buffer Overflow Vulnerability   |
+--------------------------------------------------------------------------------------------+
  
 Vulnerable versions:
 - linux kernel 2.6.18
  
 Testbed: linux kernel 2.6.18
 Type: Local
 Impact: kernel panic or potential local privelge escalation.
 Author: x90c <geinblues *nospam* gmail dot com>
 Site: x90c.org
  
  
=========
ABSTRACT:
=========
  
The write_tag_3_packet() in Linux Kernel eCryptfs is vulnerable to heap buffer overflow. 
It lead to kernel panic and potentialy privilege escalation. The vulnerability occured
with no checks to memory copy length variable in the vulnerable function.
  
  
=========
DETAILS:
=========
  
The ecryptfs_create() in ecryptfs/inode.c called when operation to create an directory
in the ecryptfs file system. When after ecryptfs_create() called finally to reach to
the vulnerable point of memcpy in the vulnerable function of write_tag_3_packet.
  
  
  
[write_tag_3_packet() in ecryptfs/keystore.c]:
----
..
  
  
    } else /* no aes, no 0, 24 key size? */
      auth_tok->session_key.encrypted_key_size = crypt_stat->key_size; /* (1) */
  
      key_rec->enc_key_size =  /* (2) */
          auth_tok->session_key.encrypted_key_size;
  
      /* vulnerable point (2, 3 arguments usercontrollable) */
      memcpy(key_rec->enc_key, auth_tok->session_key.encrypted_key, key_rec->enc_key_size);
  
..
----
  
  
  
If see The vulnerable point, key_rec->enc_key_size is usercontrolable variable.
(1) Store the crypt_stat->key_size to authtok->session_key.encrypted_key_size and (2)
store the authtok->session_key.encrypted_key_size to key_rec->enc_key_size.
In other word, the crypt_stat->key_size to the key_rec->enc_key_size usercontrollable
variable at the vulnerable point.
  
The Enter to the vulnerable point, no aes and 0, 24 key size.
  
If can control crypt_stat->key_size variable, lead to the heap buffer overflow.
First see the call path from ecryptfs_create() in ecryptfs/inode.c to vulnerable point.
  
  
  
[call path to the vulnerable point]
----
ecryptfs/inode.c::ecryptfs_create()
    +-> ecryptfs/inode.c::ecryptfs_initialize_file()
    |   -> ecryptfs/crypto.c::ecryptfs_new_file_context()
    |
    +-> ecryptfs/inode.c::ecryptfs_write_metadata()
        -> ecryptfs/crypto.c::ecryptfs_write_headers_virt()
           -> ecryptfs/keystore.c::ecryptfs_generate_key_packet_set()
              -> ecryptfs/keystore.c::write_tag_3_packet() (vulnerable function)
                 -> memcpy(key_rec->enc_key,  /* vulnerable point */
                           auth_tok->session_key.encrypted_key,
                           key_rec->enc_key_size); // XXX usercontrolable key_rec->enc_key_size!
----
  
  
  
The ecryptfs_initialize_file in ecryptfs/inode.c store the crypt_stat->key_size by
the variable passed to kernel (mount options). In ecryptfs_new_file_context
store mount_crypt_stat->global_default_cipher_key_size to crypt_stat->key_size.
the global*key_size is the variable can control at the parse mount options.
  
  
  
[ecryptfs/crypto.c]:
----
int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry)
{
..
  
   crypt_stat->key_size =
        mount_crypt_stat->global_default_cipher_key_size;
  
..
  
----
  
  
  
The mount_crypt_stat->global_default_cipher_key_size can be set by parse
option 'ecryptfs_opt_ecryptfs_key_bytes'. (usercontrollable variable)
  
  
  
  
[ecryptfs/main.c]:
----
static int ecryptfs_parse_options(struct super_block *sb, char *options)
{
..
  
  
     case ecryptfs_opt_ecryptfs_key_bytes:
            cipher_key_bytes_src = args[0].from;
            cipher_key_bytes =
                (int)simple_strtol(cipher_key_bytes_src,
                           &cipher_key_bytes_src, 0);
            mount_crypt_stat->global_default_cipher_key_size =
                cipher_key_bytes;
            ecryptfs_printk(KERN_DEBUG,
                    "The mount_crypt_stat "
                    "global_default_cipher_key_size "
                    "set to: [%d]\n", mount_crypt_stat->
                    global_default_cipher_key_size);
            cipher_key_bytes_set = 1;
            break;
----
  
  
  
The memcpy copy size at vulnerable point can be set by usercontrolable variable
via the 'ecryptfs_opt_ecryptfs_key_bytes' mount option.
  
  
  
----
  
      /* vulnerable point */
      memcpy(key_rec->enc_key, auth_tok->session_key.encrypted_key, key_rec->enc_key_size);
  
----
  
  
  
The second argument also can user controllable, in this advisory just commented on it.
  
heap buffer overflow!

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Final Draft 8 File Format Stac
·Vivotek IP Cameras RTSP Authen
·StoryBoard Quick 6 Memory Corr
·VICIdial Manager Send OS Comma
·Avid Media Composer 5.5 - Avid
·Flatpress 1.0 Traversal / Comm
·ImpressPages CMS v3.6 manage()
·Symantec Altiris DS SQL Inject
·Apache + PHP 5.x Remote Code E
·WordPress Curvo Themes - Arbit
·AudioCoder 0.8.22 (.m3u) - SEH
·Hanso Converter 2.4.0 - 'ogg'
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved