Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 14 Mar 2013 12:01:26 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
While perhaps a questionable action in many environments, attaching
a USB device is a common use case.  The person attaching the device
has a reasonable expectation that code will NOT be executed, and
files will NOT be written outside the device, etc. without their
explicit permission or configuration.  There is also a reasonable
expectation that the operation of the device will not perform
actions against the OS without implicit user permission.

So, scenario 1 would clearly require a CVE.

For other scenarios, it should be considered whether the
user/victim uses a "common" operation that is not obviously
dangerous.  In scenario 3, clicking on a file in a USB device is a
common and reasonable operation, and unless that file is an
executable or otherwise automatically implies code execution, then
it is likely CVE-worthy if code execution, DoS, or some other
operation can be performed that is not within the intended
operation of the device.

I'm not sure I understand scenario 2 well enough to give direct
advice, but even if the user installing the USB is targeted instead
of the kernel, then it may qualify for a CVE.

- Steve


-----Original Message----- From: Eugene Teo
[mailto:eugeneteo () kernel sg] Sent: Thursday, March 14, 2013 9:51
AM To: oss-security () lists openwall com Subject: Re:
[oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer
overflow triggered by device

Hi Marcus,

On Thursday, 14 March 2013, Marcus Meissner wrote:

Hi,

I am wondering ... do we consider attacks with special attack
taylored USB devices as CVE worthy?

There is only some precedence in the CVE DB, but not much.

I stumbled over this fix from one of my colleagues where a
specifically made USB device reporting the "cdc-wdm" USB class
could cause a kernel heap overflow.

"Malicious attached devices" might fall into several
categories:

1. Attaching the device causes the issue directly within the
kernel / autoloaded module, without user interaction. (here the
case)


2. Attaching the device causes the issue when userspace,
dependend on e.g. desktop system, does initiate a seperate
action (like an automount and then exploitation of something)
(so not direct a kernel, but a kernel + GNOME/KDE
interaction).

A contrived example: you plug in a (fake) evil GPS device which causes
the system to go "oh a GPS device, I'll start up the GPS service, if
said GPS service had a buffer overflow in handling the data sent by
the evil (fake) GPS device could send data that causes code execution.
I know this example (plug GPS device in, GPS service starts) works in
Fedora by default for a few years now. I'm sure there are other
exmaples too.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRQhB2AAoJEBYNRVNeJnmTAm0QAMxA5lF4uHGSMNVfsCoHUQAL
GsqR+rCy+KCH5FLCLcISSj9x6YdBegVHNjohJ308Z3gtb546GUQNIobqZNW1MjuL
ghk8+bPw8ZPQ2W22Fc6HrXGF1Aehy6minm2Icf/qADVf7NEz7A9TWWWu3FQmIL4k
bZot3upy9wbJNhmeGjegb0EpFaJlhE4L8xQgb6CM6aImNTVaJsvSpvAMhpjf0DLp
5j4EA6i3QWBDHYHCtLcoLQCiADmXAZceaDqSX4cJQqIlqm+2WwOMFwozlBBb8ItP
I4RtCepGVhxpI+G1s58uNj0J+GgMh6/UjmyxHvM2c16wYL6Dhb6FADGGpA5msY1W
rmdmrFRGr86kqVBwB5i7VOKvX7ALeVNN5sCOkkaavzRZpsGRsz2yc3KFm0VdH+n7
TqJIo16ozzmzFGiH2M+pZpp9MdYxshmBhwwNWtOJJSiTfRVi2gSznk1OtKMWjB9c
ocrRkaSbvjKrZ17yDs6Q7/BJC22SqevQhh9tKOw4ib5Pn48WxZEChHiYJAzY5n4L
c9iCLCNzpInV5Iy6IoBKkAZ+odQSPmho30s3HBTm+qRVrvEzn90wxanuQbV8rEKg
Y/Emtgj2Jb0ZTlLzNc4RFjOgWTD3Z1KObQfXvyKUeClOlSfc/eZD90vazQaCNjgt
2YFzg8XbHiSz9bzND0cl
=fIP2
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]