Vigil@nce - Samba: information disclosure via shadow_copy
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is authenticated on Samba with Shadow Copy, can
use two queries, to read memory fragments, in order to obtain
sensitive information.
Impacted products: Samba
Severity: 2/4
Creation date: 28/05/2014
DESCRIPTION OF THE VULNERABILITY
The "vfs objects" (Virtual File System) section of the Samba
configuration supports the shadow_copy and shadow_copy2 modules,
which are used to perform intermediate copies of files.
The FSCTL_GET_SHADOW_COPY_DATA and FSCTL_SRV_ENUMERATE_SNAPSHOTS
queries are used to manage Shadow Copies. However, Samba
implements them without initializing 8 bytes in the reply message.
This message is then sent to the client.
An attacker, who is authenticated on Samba with Shadow Copy, can
therefore use two queries, to read memory fragments, in order to
obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Samba-information-disclosure-via-shadow-copy-14811