The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements
Present
AT
The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-
Advisory Name: Coda Filesystem Kernel Memory Disclosure
Release Date: 2010-08-16
Application: Coda kernel module for NetBSD and FreeBSD
Versions: All known versions
Severity: Medium
Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
Vendor Status: Patch Released [2][3]
CVE Candidate: CVE-2010-3014
Reference: http://www.vsecurity.com/resources/advisory/20100816-1/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-
Product Description
- -------------------
- From [1]:
"Coda is a distributed filesystem with its origin in AFS2. It has many
features that are very desirable for network filesystems. Currently, Coda has
several features not found elsewhere.
1. disconnected operation for mobile computing
2. is freely available under a liberal license
3. high performance through client side persistent caching
4. server replication
5. security model for authentication, encryption and access control
6. continued operation during partial network failures in server network
7. network bandwidth adaptation
8. good scalability
9. well defined semantics of sharing, even in the presence of nework failure"
Vulnerability Overview
- ----------------------
On July 19th, VSR identified a vulnerability in the Coda filesystem kernel
module, as implemented for FreeBSD and NetBSD. By sending a specially crafted
ioctl request to a mounted Coda filesystem, an unprivileged local user could
read large portions of kernel heap memory, leading to the disclosure of
potentially sensitive information.
Product Background
- ------------------
Coda is implemented as a kernel filesystem module with userland components.
System calls involving file I/O are passed to the Coda kernel module, which in
turn passes the request to the userland Venus cache manager via a character
device. Venus answers the request by checking its cache or requesting content
from the Coda server. Coda implements most standard filesystem operations,
including providing an ioctl interface.
Vulnerability Details
- ---------------------
Coda ioctls are passed through the Coda filesystem module before being sent to
Venus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct,
which in turn contains a ViceIoctl struct. The ViceIoctl struct contains
"in_size" and "out_size" fields, dictating the expected size of the input and
output data corresponding to a particular ioctl request. The "in_size" field
is validated to prevent memory corruption via copying an unexpected amount of
data from userspace into a kernel buffer.
However, the "out_size" field was missing this validation. When copying the
output data of an ioctl request back to userspace, the "out_size" field was
used to determine the amount of data to copy, without restricting it to a
maximum possible size. By specifying a large value for this field, the
contents of the kernel heap beyond the data intended to be returned to the user
would be copied into a userland buffer. An unprivileged user could exploit
this to read large portions of the kernel heap, potentially disclosing
sensitive information.
Versions Affected
- -----------------
This vulnerability affects all known versions of the Coda filesystem module as
included in FreeBSD and NetBSD. The Linux Coda module is not affected.
Vendor Response
- ---------------
The following timeline details FreeBSD's and NetBSD's response to the reported
issue:
2010-07-19 Vulnerability reported to FreeBSD and NetBSD
2010-07-20 Fix committed by NetBSD [2]
2010-07-21 Response from FreeBSD
2010-07-21 FreeBSD and NetBSD provided a draft advisory
2010-08-05 Fix committed by FreeBSD [3]
2010-08-16 Coordinated disclosure
Recommendation
- --------------
Coda users should apply the updates committed by NetBSD [2] and FreeBSD[3].
Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2010-3014 to this issue. This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Acknowledgements
- ----------------
Thanks to the FreeBSD and NetBSD security teams for their prompt responses.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-
References:
1. Coda File System
http://www.coda.cs.cmu.edu
2. Coda module in NetBSD CVS
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/coda/?only_with_tag=MAIN
3. FreeBSD SVN revision 210997
http://svn.freebsd.org/viewvc/base?view=revision&revision=210997
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-
This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible
disclosure practices: http://www.vsecurity.com/company/disclosure
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-
Copyright 2010 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxpiYQACgkQQ1RSUNR+T+hfGwCfaRQXT13u2A/Yi+gEA4nYmKJY
E54An3z9sEKrVhVmXOxG4f0+b4dApu7e
=RjUw
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum