Linux ReiserFS Kernel Oops and Code Execution Vulnerability
BID:2180
Info
Linux ReiserFS Kernel Oops and Code Execution Vulnerability
| Bugtraq ID: | 2180 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: |
CVE-2001-0172 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 09 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | This vulnerability was announced by Marc Lehmann <[email protected]> on January 9, 2001 via Bugtraq. |
| Vulnerable: |
SuSE Linux 7.0 Hans Reiser ReiserFS 3.5.28 |
| Not Vulnerable: | |
Discussion
Linux ReiserFS Kernel Oops and Code Execution Vulnerability
ReiserFS is a file system alternative to the Linux ext2 file system. It was originally written by Hans Reiser, and is freely available and publicly maintained.
A problem has been reported in the handling of long file names with ReiserFS version 3.5.28 on SuSE Linux distribution 7.0. It is possible to create a directory with a long file name (the initial example displayed a directory with 768 characters), then attempt to list the file system using system binary ls or with built in shell function echo and create a Denial of Service. Upon attempting to list or echo the contents of the filesystem, a kernel buffer overflow occurs, overwriting variables on the stack including possibly the return address, as well as crashing the system. It may be possible for a malicious user to execute arbitrary code, deny service to legitimate users, and potentially break out of a chroot environment. This vulnerability is yet unverified.
ReiserFS is a file system alternative to the Linux ext2 file system. It was originally written by Hans Reiser, and is freely available and publicly maintained.
A problem has been reported in the handling of long file names with ReiserFS version 3.5.28 on SuSE Linux distribution 7.0. It is possible to create a directory with a long file name (the initial example displayed a directory with 768 characters), then attempt to list the file system using system binary ls or with built in shell function echo and create a Denial of Service. Upon attempting to list or echo the contents of the filesystem, a kernel buffer overflow occurs, overwriting variables on the stack including possibly the return address, as well as crashing the system. It may be possible for a malicious user to execute arbitrary code, deny service to legitimate users, and potentially break out of a chroot environment. This vulnerability is yet unverified.
Exploit / POC
Linux ReiserFS Kernel Oops and Code Execution Vulnerability
This exploit was supplied by Marc Lehmann in the initial advisory:
mkdir "$(perl -e 'print "x" x 768')"
This exploit was supplied by Marc Lehmann in the initial advisory:
mkdir "$(perl -e 'print "x" x 768')"
Solution / Fix
Linux ReiserFS Kernel Oops and Code Execution Vulnerability
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Linux ReiserFS Kernel Oops and Code Execution Vulnerability
References:
References: