Vigil@nce: Samba, memory fragment reading
November 2008 by Vigil@nce
An attacker authenticated on Samba can use specific commands to
obtains memory fragments from the daemon.
– Gravity: 1/4
– Consequences: data reading
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 27/11/2008
IMPACTED PRODUCTS
– Samba
DESCRIPTION
The SMB/CIFS protocol successively defined several commands to
encapsulate sub-commands: Trans, Trans2 and NTTrans. To use these
commands, the user has to be authenticated.
When Samba handles these commands, offsets are incorrectly
computed. The daemon can therefore read outside the memory area
containing data, and store these bytes in the answer.
An attacker authenticated on Samba can therefore use specific
commands to obtains memory fragments from the daemon.
CHARACTERISTICS
– Identifiers: BID-32494, CVE-2008-4314, VIGILANCE-VUL-8270
– Url: http://vigilance.fr/vulnerability/8270