Linux Kernel ISO9660 Buffer Overflow Privilege Escalation Vulnerability
Date: 15 April 2004 Security Alert ID: 1007776 Overview: Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance of developers around the world. Developed under the GNU General Public License , the source code for Linux is freely available to everyone. Description: A vulnerability in the Linux kernel has been discovered, which can be exploited by malicious, local users to gain escalated privileges on a vulnerable system and may allow arbitrary code execution with root or kernel level privileges. The Linux kernel performs no length checking on symbolic links stored on an ISO9660 file system, allowing a malformed CD to perform an arbitrary length overflow in kernel memory. Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge' extension to the standard format. The vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO file system, or attempting to access a file via a malformed symlink on such a file system. Many distributions allow local users to mount CDs, which makes them potentially vulnerable to local elevation attacks. The relevant functions are as follows: fs/isofs/rock.c: rock_ridge_symlink_readpage() fs/isofs/rock.c: get_symlink_chunk() There is no checking that the total length of the symlink being read is less than the memory space that has been allocated for storing it. By supplying many CE (continuation) records, each with another SL (symlink) chunk, it is possible for an attacker to build an arbitrary length data structure in kernel memory space. Affected: 2.4.x, 2.5.x, and 2.6.x kernel branches. Solution: Update to Linux kernel versions 2.4.26 and 2.6.6-rc1. http://kernel.org/ ����� ��� ..... ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
