News
Vigil@nce - FreeBSD, NetBSD: integer overflows of netsmb
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the netsmb module is enabled on FreeBSD/NetBSD, a local attacker can generate overflows, in order to create a denial of service or to elevate his privileges.
Severity: 2/4
Creation date: 13/07/2010
DESCRIPTION OF THE VULNERABILITY
The netsmb module implements a SMB/CIFS client for the FreeBSD/NetBSD kernel.
The mount_smbfs command mounts remote SMB/CIFS shares to a local directory. This command uses the /dev/nsmbx devices to exchange data with netsmb.
A local attacker can directly connect to /dev/nsmbx and send malicious SMBIOC_LOOKUP and SMBIOC_OPENSESSION ioctls. An integer then becomes negative in smb_strdup(), smb_strdupin(), smb_memdupin(), smb_zmalloc(), smb_strtouni() and smb_put_dmem() functions of sys/netsmb/smb_subr.c, which corrupts the memory.
When the netsmb module is enabled on FreeBSD/NetBSD, a local attacker can therefore generate overflows, in order to create a denial of service or to elevate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
GOLD SPONSOR
