BSD FireWire IOCTL Kernel Integer Overflow Information Disclousure
16 Nov. 2006
Summary
Firewire device is enabled by default in the GENERIC kernel. It defines an IOCTL function which can be malicious called passing a negative buffer length value. This value will bypass the length check (because the value is negative) and will be used in a copyout operation.
Credit:
For the original advisory, visit:
The information has been provided as part of MoKB, by:Filipe Balestra and Rodrigo Rubira Branco (BSDaemon).
Description:
Firewire device is enabled by default in the GENERIC kernel. It defines an IOCTL function which can be malicious called passing a negative buffer length value. This value will bypass the length check (because the value is negative) and will be used in a copyout operation.
This is a kernel bug and the system can be compromised by local users and important system informations can be discloused (basically, a mem dump ;) ).
Technical Details:
Firewire interface can be tunned. It provides an ioctl function receiving many parameters that can be changed.
The following is a code fragment from (FreeBSD - dev/firewire/fwdev.c (fw_ioctl function) || DragonFlyBSD bus/firewire/fwdev.c (fw_ioctl function) || NetBSD - dev/ieee1394/fwdev.c (FW_IOCTL function)) file:
if (crom_buf->len < len)
len = crom_buf->len;
else
crom_buf->len = len;
err = copyout(ptr, crom_buf->ptr, len);
We control the crom_buf->len (it's passed as argument to the ioctl function) so, passing it as a negative value will bypass this if statement (our value is minor than the default one).
So, our value is used in a copyout function. ptr is defined before this copyout as:
if ( fwdev == NULL ) {
...
ptr = malloc(CROMSIZE, M_FW, M_WAITOK);
...
} else {
ptr = (void *)&fwdev->csrrom[0];
...
}
This information disclousure leads to an attacker dumping all the system memory.
