Actu
Vigil@nce - Linux kernel: file access via CIFS DNS resolver
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can modify his keyring, in order to force the
CIFS client of the Linux kernel to connect to a malicious CIFS/SMB
server.
Severity: 2/4
Creation date: 02/08/2010
DESCRIPTION OF THE VULNERABILITY
The Linux kernel contains a CIFS/SMB client, which is used to
connect to a remote share.
In order to save IP addresses of CIFS/SMB servers, the
dns_resolve_server_name_to_ip() function of the
fs/cifs/dns_resolve.c file stores values in the user’s keyring.
However, an attacker can save a malicious IP address in his
keyring, so the kernel will use it, and will connect to the
attacker’s CIFS/SMB server.
A local attacker can therefore modify his keyring, in order to
force the CIFS client of the Linux kernel to connect to a
malicious CIFS/SMB server.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-file-access-via-CIFS-DNS-resolver-9803
