Linked by Petur on Tue 8th Mar 2011 17:48 UTC
Linux "A bug in the Caiaq USB driver, which could be used to execute arbitrary at the kernel level has been reported by Rafael Dominguez Vega of MRW InfoSecurity. The device drivers are vulnerable to buffer overflow condition when an USB device with an unusually long name (over 80 characters) is connected to the machine."
Thread beginning with comment 465338
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Caiaq USB ?
by senshikaze on Tue 8th Mar 2011 20:36 UTC in reply to "Caiaq USB ?"
senshikaze
Member since:
2011-03-08

I looked into it, but the module is running on my install (Ubuntu 10.10). Not sure what hardware is it hooked to.

Reply Parent Score: 1

RE[2]: Caiaq USB ?
by nbensa on Tue 8th Mar 2011 20:50 in reply to "RE: Caiaq USB ?"
nbensa Member since:
2005-08-29

I looked into it, but the module is running on my install (Ubuntu 10.10). Not sure what hardware is it hooked to.


CONFIG_SND_USB_CAIAQ=m
CONFIG_SND_USB_CAIAQ_INPUT=y

Sound card?

Reply Parent Score: 1

RE[3]: Caiaq USB ?
by Neolander on Tue 8th Mar 2011 20:53 in reply to "RE[2]: Caiaq USB ?"
Neolander Member since:
2010-03-08

Looks like it ;)

http://caiaq.com/index_en.html

To date, serveral high-quality USB 2.0 audio interfaces, music production controllers and a WLAN based Multiroom Audio System have been delivered.



http://www.globalsecuritymag.com/Vigil-nce-Linux-kernel-buffer,2011...

DESCRIPTION OF THE VULNERABILITY

The sound/usb/caiaq directory implements the support of USB devices from the Native Instruments company.

The snd_usb_caiaq_audio_init() and snd_usb_caiaq_midi_init() functions copy the name of the USB device in a 80 bytes array. However, if the name provided by the USB device is longer, a buffer overflow occurs.

An attacker can therefore insert a USB device with a long name, in order to create an overflow in caiaq, leading to a denial of service or to code execution.


(Putting some memory regions on W and X access privileges at the same time... Them fool... DEP is not here for nothing !)

Edited 2011-03-08 20:56 UTC

Reply Parent Score: 1