Vigil@nce: Linux kernel, buffer overflow via CIFS
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can setup a malicious CIFS server and invite the
victim to mount a share in order to generate an overflow in the
kernel.
Severity: 2/4
Consequences: user access/rights, denial of service of computer
Provenance: intranet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 06/04/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The fs/cifs directory of the Linux kernel source code implements a
CIFS/SMB client, used to mount a filesystem on a remote share.
The CIFSTCon() function of the fs/cifs/connect.c file implements
the TreeConnectAndX command. The answer to this command contains
the "nativeFileSystem" field whose value is generally NTFS, FAT or
SAMBA.
However, if the nativeFileSystem field is too long, a buffer
overflow occurs in the CIFSTCon() function.
An attacker can therefore setup a malicious CIFS server and invite
the victim to mount a share in order to generate an overflow in
the kernel.
CHARACTERISTICS
Identifiers: BID-34453, VIGILANCE-VUL-8602
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-CIFS-8602