iso9660handler.txt

`Good morning,  
  
There appears to be a fair number of kernel-level range checking flaws in  
ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux  
up to and including 2.6.11. These bugs range from DoS conditions to  
potentially exploitable memory corruption - all this whenever a specially  
crafted filesystem is mounted or directories are examined.  
  
Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show  
up by tomorrow or so), although, as per Linus words, "that code is  
horrid", and it may take some time to work out all the issues.  
  
The impact is not dramatic, but there are two obvious ways such flaws can  
be used to benefit remote attackers:  
  
1) Bugs in removable media filesystems may be used to automatically  
compromise any system whose owner decided to examine a newly acquired  
CD-ROM, even if extreme caution is observed (that is, autorun is  
disabled, and no files are executed).  
  
2) For all types of filesystems, such problems can be additionally used  
to subvert forensic analysis efforts. Disk images from compromised  
machine may infect forensic examiner's system and alter results,  
or simply render the machine unusable.  
  
Attached is a trivial fuzz script that can be used to test fs drivers  
against most obvious fault conditions. With little effort, it can be  
further altered to test filesystems other than ISO9660, and OSes other  
than Linux.  
  
Regards,  
Michal Zalewski  
  
Obligatory plug: http://lcamtuf.coredump.cx/silence/  
  
  
#!/bin/bash  
  
cd /tmp || exit 1  
  
echo '[*] Compiling mangler...'  
  
cat >mangle.c <<_EOF_  
char buf[10240];  
main() {  
int i,x;  
srand(time(0) ^ getpid());  
while ( (i = read(0,buf,sizeof(buf))) > 0) {  
x = rand() % (i/20);  
while (x--) buf[rand() % i] = rand();  
write(1,buf,i);  
}  
}  
_EOF_  
  
gcc -O3 mangle.c -o mangle || exit 1  
rm -f mangle.c  
  
echo '[*] Preparing ISO master (feel free to alter this code)...'  
  
mkdir cd_dir || exit 1  
cd cd_dir  
  
CNT=0  
while [ "$CNT" -lt "200" ]; do  
mkdir A; cd A  
CNT=$[CNT+1]  
done  
  
cd /tmp/cd_dir  
  
A=`perl -e '{print "A"x255}' 2>/dev/null`  
CNT=0  
while [ "$CNT" -lt "3" ]; do  
mkdir "$A"; cd "$A"  
CNT=$[CNT+1]  
done  
  
cd /tmp  
  
echo '[*] Creating image (alter filesystem or parameters as needed)...'  
  
mkisofs -U -R -J -o cd.iso cd_dir 2>/dev/null || exit 1  
rm -rf cd_dir  
  
echo '[*] STRESS TEST PHASE...'  
  
while :; do   
DIR="/tmp/cdtest-$$-$RANDOM"  
mkdir "$DIR"  
dmesg -c 2>/dev/null  
cat cd.iso | ./mangle >cd_mod.iso  
mount -t iso9660 -o loop,ro /tmp/cd_mod.iso "$DIR" 2>/dev/null  
# ls -lAR "$DIR" - Uncomment if you like when it HURTS...  
umount "$DIR" 2>/dev/null  
rm -rf "$DIR" 2>/dev/null  
FAULT=`dmesg | grep -Ei 'oops|unable to handle'`  
test "$FAULT" = "" || break  
done  
  
dmesg | tail -30  
  
echo '[+] Something found (/tmp/cd-mod.iso)...'  
  
rm -f cd.iso mangle  
exit 0  
`