Vigil@nce: Linux kernel, buffer overflow via CIFS
April 2009 by Vigil@nce
An attacker can setup a malicious CIFS server and invite the
victim to mount a share in order to generate an overflow in the
kernel.
– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 20/04/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The fs/cifs directory of the Linux kernel source code implements a
CIFS/SMB client, used to mount a filesystem on a remote share.
The CIFS protocol can by initialized with the Unicode support, to
handle international filenames. In this case, data in packets have
to be located at offsets which are a multiple of 16 bits. This
forces packets to eventually contain a padding byte for each
string.
The CIFS_SessSetup() function of the fs/cifs/sess.c file does not
handle the padding byte when decoding the "serverDomain" string.
This error generates a buffer overflow.
An attacker can therefore setup a malicious CIFS server and invite
the victim to mount a share in order to generate an overflow in
the kernel.
CHARACTERISTICS
– Identifiers: BID-34612, BID-34615, VIGILANCE-VUL-8652
– Url: http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-CIFS-8652
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2