Vigil@nce - Linux kernel: buffer overflow via auerswald_probe
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker with a physical access can plug a malicious USB
device, in order to create an overflow in the Auerswald driver,
which creates a denial of service or leads to code execution.
Severity: 2/4
Creation date: 18/07/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The file drivers/usb/misc/auerswald.c of the Linux kernel
implements a USB driver for Auerswald PBX/System Telephones.
When a phone is connected via the USB port, the kernel calls the
auerswald_probe() function which initializes the driver. This
function copies the name of the USB device in the dev_desc field
of a context structure.
However, if the USB device announces a name larger than AUSI_DLEN
(100) bytes, a buffer overflow occurs.
An attacker with a physical access can therefore plug a malicious
USB device, in order to create an overflow in the Auerswald
driver, which creates a denial of service or leads to code
execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-auerswald-probe-10845