Linked by Petur on Tue 8th Mar 2011 17:48 UTC
Linux "A bug in the Caiaq USB driver, which could be used to execute arbitrary at the kernel level has been reported by Rafael Dominguez Vega of MRW InfoSecurity. The device drivers are vulnerable to buffer overflow condition when an USB device with an unusually long name (over 80 characters) is connected to the machine."
Order by: Score:
Fix
by diegoviola on Tue 8th Mar 2011 18:21 UTC
diegoviola
Member since:
2006-08-15

is there any fix coming? has this been fixed yet?

Reply Score: 2

RE: Fix
by senshikaze on Tue 8th Mar 2011 18:41 UTC in reply to "Fix"
senshikaze Member since:
2011-03-08
RE[2]: Fix
by umccullough on Tue 8th Mar 2011 19:12 UTC in reply to "RE: Fix"
umccullough Member since:
2006-01-26



Heh, we have been fixing a ton of issues like that in Haiku recently - Coverity picks them up like a champ ;)

Reply Score: 4

RE[2]: Fix
by diegoviola on Tue 8th Mar 2011 23:17 UTC in reply to "RE: Fix"
diegoviola Member since:
2006-08-15



Nice, thanks.

Reply Score: 2

LOL
by d.marcu on Tue 8th Mar 2011 18:27 UTC
d.marcu
Member since:
2009-12-27

USB device with an unusually long name (over 80 characters) who the f*** uses 80+ characters to name a usb drive?

Reply Score: 1

RE: LOL
by Soulbender on Tue 8th Mar 2011 18:36 UTC in reply to "LOL"
Soulbender Member since:
2005-08-18

The person attacking the computer.

Reply Score: 10

RE[2]: LOL
by d.marcu on Tue 8th Mar 2011 19:13 UTC in reply to "RE: LOL"
d.marcu Member since:
2009-12-27

so this guy must have access to my pc and insert a 80+ characters named usb drive in order to exploit it? It's not like if i have a usb drive with a huge name my computer can be exploited by a hacker half way around the world. I'll restrict my usb drives to less characters, just in case.

Reply Score: 2

RE[3]: LOL
by umccullough on Tue 8th Mar 2011 19:23 UTC in reply to "RE[2]: LOL"
umccullough Member since:
2006-01-26

so this guy must have access to my pc and insert a 80+ characters named usb drive in order to exploit it? It's not like if i have a usb drive with a huge name my computer can be exploited by a hacker half way around the world. I'll restrict my usb drives to less characters, just in case.


It may not affect you - but something like this is indeed bad. For example, what prevents a Kiosk running Linux from being pwned. Think: digital picture processing kiosk at the drug store.

It's even more disturbing after reading the recent report on what governments have been up to with HBGary:

http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgar...

Reply Score: 6

RE[4]: LOL
by Soulbender on Tue 8th Mar 2011 19:56 UTC in reply to "RE[3]: LOL"
Soulbender Member since:
2005-08-18

It's even more disturbing after reading the recent report on what governments have been up to with HBGary:


On the other hand, considering how easily he got owned how good can he actually be and how much should we trust what he says he has done?

Reply Score: 3

RE[5]: LOL
by umccullough on Tue 8th Mar 2011 20:00 UTC in reply to "RE[4]: LOL"
umccullough Member since:
2006-01-26

"It's even more disturbing after reading the recent report on what governments have been up to with HBGary:


On the other hand, considering how easily he got owned how good can he actually be and how much should we trust what he says he has done?
"

Well, if you follow the story, HBGary Federal was owned, HBGary was collateral damage. They apparently do have some decent technology, including unreleased 0day exploits...

But the important bit is: The U.S. government is knowingly hiring firms to exploit via hardware ports such as USB and PCMCIA.

Reply Score: 4

RE[6]: LOL
by Petur on Tue 8th Mar 2011 20:02 UTC in reply to "RE[5]: LOL"
Petur Member since:
2011-03-01

But the important bit is: The U.S. government is knowingly hiring firms to exploit via hardware ports such as USB and PCMCIA.


Why hire someone to break in when you can just pay the coder to not lock the door?

Reply Score: 3

RE[6]: LOL
by Soulbender on Tue 8th Mar 2011 20:11 UTC in reply to "RE[5]: LOL"
Soulbender Member since:
2005-08-18

They apparently do have some decent technology, including unreleased 0day exploits...


Or so he says. To be honest, reading that article it feels like the wet daydreams of some loser who has watched too many spy movies. Like some cyber version of Jonathan Idema.

[The U.S. government is knowingly hiring firms to exploit via hardware ports such as USB and PCMCIA.


I would not expect anything less.

Edited 2011-03-08 20:13 UTC

Reply Score: 2

RE[4]: LOL
by Petur on Tue 8th Mar 2011 20:00 UTC in reply to "RE[3]: LOL"
Petur Member since:
2011-03-01



Thank you for sharing, that post is very interesting.

Reply Score: 1

RE[4]: LOL
by t3RRa on Wed 9th Mar 2011 01:27 UTC in reply to "RE[3]: LOL"
t3RRa Member since:
2005-11-22

For example, what prevents a Kiosk running Linux from being pwned. Think: digital picture processing kiosk at the drug store.

I have seen one of the picture processing kiosk at a local drug store and the kiosk if I remember correctly was from Kodak or Fuji film. They were actually running Windows. And with the help of my humble memory some of articles or comments on this site was saying those kiosk commonly running Windows instead of Linux. Since this is Linux bug I doubt it would affect many of those kiosk.

Reply Score: 2

RE[5]: LOL
by umccullough on Wed 9th Mar 2011 01:52 UTC in reply to "RE[4]: LOL"
umccullough Member since:
2006-01-26

I have seen one of the picture processing kiosk at a local drug store and the kiosk if I remember correctly was from Kodak or Fuji film. They were actually running Windows. And with the help of my humble memory some of articles or comments on this site was saying those kiosk commonly running Windows instead of Linux. Since this is Linux bug I doubt it would affect many of those kiosk.


Sure, maybe now - but with shit like this:

http://it.slashdot.org/story/10/07/06/0019234/Photo-Kiosks-Infectin...

How long before they realize Windows is the wrong solution?

Reply Score: 2

RE[6]: LOL
by t3RRa on Wed 9th Mar 2011 08:20 UTC in reply to "RE[5]: LOL"
t3RRa Member since:
2005-11-22

Can we just stick to the subject of this article?

Reply Score: 2

RE[7]: LOL
by umccullough on Wed 9th Mar 2011 19:57 UTC in reply to "RE[6]: LOL"
umccullough Member since:
2006-01-26

Can we just stick to the subject of this article?


Sure, because sticking a USB stick into a kiosk running a vulnerable operating system is soooo off topic eh?

Reply Score: 2

RE[6]: LOL
by gfolkert on Wed 9th Mar 2011 08:32 UTC in reply to "RE[5]: LOL"
gfolkert Member since:
2008-12-15

Sure, maybe now - but with shit like this:

http://it.slashdot.org/story/10/07/06/0019234/Photo-Kiosks-Infectin...

How long before they realize Windows is the wrong solution?


Ummm, never?

They don't *WANT* a great solution. They want something that they don;t feel they have to reinvent the wheel err... compile from source and insert kernel modules... etc.

Yeah, I know. I've had Linux Kiosks running for a Coffee House Locally for almost 4 years. Worst thing that happened is some person's web e-mail tried to write to C:\Windows\something\something\blahblahblah

Plus running from an Optical Drive is nice.

Reply Score: 1

RE[4]: LOL
by UltraZelda64 on Wed 9th Mar 2011 16:07 UTC in reply to "RE[3]: LOL"
UltraZelda64 Member since:
2006-12-05

Think: digital picture processing kiosk at the drug store.

What's funny is that just the other day, I walked in front of one of those things in Walgreen's. It was prominently displaying the Blue Screen of Death on its screen. It's not the first time--I've seen them display standard Windows errors (including crashes) and BSODs more times than I care to remember...

At this rate, I think that as long as those things are running Windows and are inoperable a large portion of the time as a result, people are "relatively" safe from digital picture kiosks. LOL.

Reply Score: 2

RE: LOL
by ivanzinho on Tue 8th Mar 2011 18:58 UTC in reply to "LOL"
ivanzinho Member since:
2009-04-05

Let me spell it out for you: a malicious person.

Reply Score: 1

Caiaq USB ?
by torturedutopian on Tue 8th Mar 2011 18:48 UTC
torturedutopian
Member since:
2010-04-24

What is it ? Is it actually a widespread device ? Never heard of that.

Reply Score: 1

RE: Caiaq USB ?
by senshikaze on Tue 8th Mar 2011 20:36 UTC in reply to "Caiaq USB ?"
senshikaze Member since:
2011-03-08

I looked into it, but the module is running on my install (Ubuntu 10.10). Not sure what hardware is it hooked to.

Reply Score: 1

RE[2]: Caiaq USB ?
by nbensa on Tue 8th Mar 2011 20:50 UTC in reply to "RE: Caiaq USB ?"
nbensa Member since:
2005-08-29

I looked into it, but the module is running on my install (Ubuntu 10.10). Not sure what hardware is it hooked to.


CONFIG_SND_USB_CAIAQ=m
CONFIG_SND_USB_CAIAQ_INPUT=y

Sound card?

Reply Score: 1

RE[3]: Caiaq USB ?
by Neolander on Tue 8th Mar 2011 20:53 UTC in reply to "RE[2]: Caiaq USB ?"
Neolander Member since:
2010-03-08

Looks like it ;)

http://caiaq.com/index_en.html

To date, serveral high-quality USB 2.0 audio interfaces, music production controllers and a WLAN based Multiroom Audio System have been delivered.



http://www.globalsecuritymag.com/Vigil-nce-Linux-kernel-buffer,2011...

DESCRIPTION OF THE VULNERABILITY

The sound/usb/caiaq directory implements the support of USB devices from the Native Instruments company.

The snd_usb_caiaq_audio_init() and snd_usb_caiaq_midi_init() functions copy the name of the USB device in a 80 bytes array. However, if the name provided by the USB device is longer, a buffer overflow occurs.

An attacker can therefore insert a USB device with a long name, in order to create an overflow in caiaq, leading to a denial of service or to code execution.


(Putting some memory regions on W and X access privileges at the same time... Them fool... DEP is not here for nothing !)

Edited 2011-03-08 20:56 UTC

Reply Score: 1

Isn't the title misleading?
by jhominal on Tue 8th Mar 2011 19:19 UTC
jhominal
Member since:
2009-07-07

The title promises a lot - it sounds like some rather general exploit on the Linux kernel, when it is nothing more than a buffer overflow bug in a particular driver.

I wouldn't be that surprised to see that on Slashdot - and then promptly tagged there with the "notnews" tag - but I don't think that it is really much of an event (I think, without having seen statistics about it, that dozens, if not hundreds, of such bugs are found and fixed each year.) - at least not enough of an event to warrant a place on OSNews.

Reply Score: 3

grepping for strcat/strcpy
by panzi on Tue 8th Mar 2011 21:19 UTC
panzi
Member since:
2006-01-22

I downloaded a recent kernel source bundle and did: grep -IR '\<strcat\>\|\<strcpy\>' *|wc -l

This found 3558 lines. While many of them are in the form `strcpy(foo, "string literal");` I think usage of these functions should be generally forbidden. All these function calls should be replaced with strlcat/strlcpy.

Edited 2011-03-08 21:20 UTC

Reply Score: 2

RE: grepping for strcat/strcpy
by Soulbender on Wed 9th Mar 2011 00:43 UTC in reply to "grepping for strcat/strcpy"
Soulbender Member since:
2005-08-18

Well, Ulrich Drepper does not like strlcat/strlcpy so they won't be in glibc anytime soon.

Reply Score: 2

RE[2]: grepping for strcat/strcpy
by Hypnos on Wed 9th Mar 2011 04:25 UTC in reply to "RE: grepping for strcat/strcpy"
Hypnos Member since:
2008-11-19

The kernel can just use its own implementations of strl{cat,copy} until they are standardized, no?

Reply Score: 1

oiaohm Member since:
2009-05-30

The kernel can just use its own implementations of strl{cat,copy} until they are standardized, no?


Nice in theory. Linux kernel does have strncat and strncpy and problem back in history they leaked a little memory. So to avoid that problem some drivers changed over to strcpy so leading us todays problem.

Historic chain of failure. Hopefully this is close to the last bit of it.

Reply Score: 2

sakeniwefu Member since:
2008-02-26

These functions will never be standardized. c1x - the next C standard - will include the IMHO inferior but good enough(certainly better than str* and strn*) str*_s by Microsoft.

This has little relevance though, given that the Linux kernel doesn't use glibc and it *does* include strlcat and strlcpy.

So do glib, KDE and Samba, for example. Basically everyone but that Drepper guy has got them.

Reply Score: 2

Reminds me of this USB attack
by Lennie on Tue 8th Mar 2011 22:10 UTC
Lennie
Member since:
2007-09-22

http://www.youtube.com/watch?v=ovfYBa1EHm4

Never been a fan of Nautilus. ;-)

Reply Score: 2

For anyone who has not updated kernel
by oiaohm on Wed 9th Mar 2011 03:45 UTC
oiaohm
Member since:
2009-05-30

This is Linux of course black list the driver,

http://www.cyberciti.biz/tips/avoid-linux-kernel-module-driver-auto...

Problem solved. Insert infected device as much as like after that is done its worthless.

Yes the hotfix to the issue.

Reply Score: 2