Vigil@nce - FreeBSD, NetBSD: integer overflows of netsmb
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the netsmb module is enabled on FreeBSD/NetBSD, a local
attacker can generate overflows, in order to create a denial of
service or to elevate his privileges.
Severity: 2/4
Creation date: 13/07/2010
DESCRIPTION OF THE VULNERABILITY
The netsmb module implements a SMB/CIFS client for the
FreeBSD/NetBSD kernel.
The mount_smbfs command mounts remote SMB/CIFS shares to a local
directory. This command uses the /dev/nsmbx devices to exchange
data with netsmb.
A local attacker can directly connect to /dev/nsmbx and send
malicious SMBIOC_LOOKUP and SMBIOC_OPENSESSION ioctls. An integer
then becomes negative in smb_strdup(), smb_strdupin(),
smb_memdupin(), smb_zmalloc(), smb_strtouni() and smb_put_dmem()
functions of sys/netsmb/smb_subr.c, which corrupts the memory.
When the netsmb module is enabled on FreeBSD/NetBSD, a local
attacker can therefore generate overflows, in order to create a
denial of service or to elevate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-NetBSD-integer-overflows-of-netsmb-9754