Coda Filesystem Kernel Memory Disclosure

Release Date 2010-08-16
Application Coda kernel module for NetBSD and FreeBSD
Versions All known versions
Severity Medium
Discovered by Dan Rosenberg <drosenberg {at} vsecurity.com>
Vendor Status Patch Released [2][3]
CVE Candidate CVE-2010-3014
Reference Original Advisory

Product Description

From [1]:

"Coda is a distributed filesystem with is origin in AFS2. It has many features that are very desirable for network filesystems. Currently, Coda has several features not found elsewhere.

  1. disconnected operation for mobile computing
  2. is freely available under a liberal license
  3. high performance through client side persistent caching
  4. server replication
  5. security model for authentication, encryption and access control
  6. continued operation during partial network failures in server network
  7. network bandwidth adaptation
  8. good scalability
  9. well defined semantics of sharing, even in the presence of nework failure"

Vulnerability Overview

On July 19th, VSR identified a vulnerability in the Coda filesystem kernel module, as implemented for FreeBSD and NetBSD. By sending a specially crafted ioctl request to a mounted Coda filesystem, an unprivileged local user could read large portions of kernel heap memory, leading to the disclosure of potentially sensitive information.

Product Background

Coda is implemented as a kernel filesystem module with userland components. System calls involving file I/O are passed to the Coda kernel module, which in turn passes the request to the userland Venus cache manager via a character device. Venus answers the request by checking its cache or requesting content from the Coda server. Coda implements most standard filesystem operations, including providing an ioctl interface.

Vulnerability Details

Coda ioctls are passed through the Coda filesystem module before being sent to Venus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct, which in turn contains a ViceIoctl struct. The ViceIoctl struct contains in_size and out_size fields, dictating the expected size of the input and output data corresponding to a particular ioctl request. The in_size field is validated to prevent memory corruption via copying an unexpected amount of data from userspace into a kernel buffer.

However, the out_size field was missing this validation. When copying the output data of an ioctl request back to userspace, the out_size field was used to determine the amount of data to copy, without restricting it to a maximum possible size. By specifying a large value for this field, the contents of the kernel heap beyond the data intended to be returned to the user would be copied into a userland buffer. An unprivileged user could exploit this to read large portions of the kernel heap, potentially disclosing sensitive information.

Versions Affected

This vulnerability affects all known versions of the Coda filesystem module as included in FreeBSD and NetBSD. The Linux Coda module is not affected.

Vendor Response

The following timeline details FreeBSD's and NetBSD's response to the reported issue:

2010-07-19 Vulnerability reported to FreeBSD and NetBSD
2010-07-20 Fix committed by NetBSD [2]
2010-07-21 Response from FreeBSD
2010-07-21 FreeBSD and NetBSD provided a draft advisory
2010-08-05 Fix committed by FreeBSD [3]
2010-08-16 Coordinated disclosure

Recommendation

Coda users should apply the updates committed by NetBSD [2] and FreeBSD [3].

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-3014 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to the FreeBSD and NetBSD security teams for their prompt responses.


References

1. Coda File System
http://www.coda.cs.cmu.edu
2. Coda module in NetBSD CVS
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/coda/?only_with_tag=MAIN
3. FreeBSD SVN revision 210997
http://svn.freebsd.org/viewvc/base?view=revision&revision=210997

This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure practices.


Copyright 2010 Virtual Security Research, LLC. All rights reserved.

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

2012-07-29
Michael Coppola presents Owning the Network: Adventures in Router Rootkits at DEF CON 20 [slides].

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com