Twenty Year Anniversary

142004.txt

142004.txt
Posted Nov 20, 2004
Authored by Stefan Esser | Site security.e-matters.de

During an audit of the smb filesystem implementation within Linux several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. The 2.4 series up to 2.4.27 is affected and the 2.6 series up to 2.6.9 is affected.

tags | advisory, overflow, kernel, vulnerability
systems | linux
advisories | CVE-2004-0883, CVE-2004-0949
MD5 | 6dbd64513c8583c5c3583aa170d5180b

142004.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: Linux 2.x smbfs multiple remote vulnerabilities
Release Date: 2004/11/17
Last Modified: 2004/11/17
Author: Stefan Esser [s.esser@e-matters.de]

Application: Linux 2.4 <= 2.4.27
Linux 2.6 <= 2.6.9
Severity: Several vulnerabilities within smbfs allow
crashing the kernel or leaking kernel memory
with the help of the smb server
Risk: Moderately Critical
Vendor Status: Vendor has released a bugfixed version.
Reference: http://security.e-matters.de/advisories/142004.html


Overview:

Linux is a clone of the operating system Unix, written from scratch
by Linus Torvalds with assistance from a loosely-knit team of hackers
across the Net. It aims towards POSIX and Single UNIX Specification
compliance.

During an audit of the smb filesystem implementation within Linux
several vulnerabilities were discovered ranging from out of bounds
read accesses to kernel level buffer overflows.

To exploit any of these vulnerabilities an attacker needs control
over the answers of the connected smb server. This could be achieved
by man in the middle attacks or by taking over the smb server with
f.e. the recently disclosed vulnerability in Samba 3.x

While any of these vulnerabilities can be easily used as remote
denial of service exploits against Linux systems, it is unclear if
it is possible for a skilled local or remote attacker to use any of
the possible bufferoverflows for arbitrary code execution in kernel
space.


Details:

[ 01 - smb_proc_read(X) malicious data count overflow ]

Affected Kernels: 2.4

When receiving the answer to a read(X) request the Linux 2.4 kernel
trusts the returned data count and copies exactly that amound of
bytes into the output buffer. This means any call to the read
syscall on a smb filesystem could result in an overflow withing
kernel memory if the connected smb server returns more data than
requested. While this is a trivial to exploit DOS vulnerability
it is unclear if it can be used by a skilled attacker to execute
arbitrary code.

[ 02 - smb_proc_readX malicious data offset information leak ]

Affected Kernels: 2.4

When receiving the answer to a readX request the Linux 2.4 kernel
does not properly bounds check the supplied data offset. The check
in place can fail because of a signedness issue. This means that
a local attacker can leak kernel memory simply by issuing the read
syscall on a smb filesystem when the connected server returns a
data offset from outside the packet. This can of course also lead
to a kernel crash when unallocated memory is accessed.

[ 03 - smb_receive_trans2 defragmentation overflow ]

Affected Kernels: 2.4

At the end of the TRANS2 defragmentation process the complete
packet is moved to another place if a certain condition is true.
In combination with [07] and the fact that the counters are not
bounds checked befory coyping the data this can result in a
kernel memory overflow.

[ 04 - smb_proc_readX_data malicious data offset DOS ]

Affected Kernels: 2.6

The server supplied data offset is decremented by the header size
and then used as offset within the packet. While the supplied
offset is checked against an upper bound it may have underflowed
and therefore point outside the allocated memory. Any access to
that memory could result in a crash.

[ 05 - smb_receive_trans2 malicious parm/data offset info leak/DOS ]

Affected Kernels: 2.4, 2.6

Both versions of the kernel do not properly bounds check the
server supplied packet based offset of the parameters/data sent.
This results in smbfs copying data from memory outside the received
smb fragment into the receiving buffer. This can leak kernel memory
to the calling function or result in a DOS because of accesses to
unallocated memory.

[ 06 - smb_recv_trans2 missing fragment information leak ]

Affected Kernels: 2.4, 2.6

The defragmentation process of TRANS2 SMB packets does not properly
initialize the receiving buffer. An attacker may f.e. send several
thousand times the first byte of a packet until the received data
count reaches the expected total and so leakes the rest of the
uninitialised receiving buffer to the calling function.

[ 07 - smb_recv_trans2 fragment resending leads to invalid counters ]

Affected Kernels: 2.4, 2.6

The defragmentation termination condition is that atleast the
expected parameter count and at least the expected data count is
reached. By using the fragment resending technique an attacker
can increase one of those counters to an arbitrary high value.


Proof of Concept:

e-matters is not going to release exploits for any of these
vulnerabilities to the public.


Disclosure Timeline:

25. September 2004 - Made initial contact with the Linux Developers
27. September 2004 - Contacted vendor-sec about this issue
22. October 2004 - Sent the 2nd round of smbfs vulnerabilities to
both parties
27. October 2004 - Sent final patchset for 2.4 and 2.6 kernel
to the developers
11. November 2004 - Linux 2.4.28-rc3 containing the final patchset
was made available by the developers
17. November 2004 - Linux 2.4.28 released
17. November 2004 - Public Disclosure


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0883 to the issues 01-05 and the name
CAN-2004-0949 to the issues 06, 07.


Recommendation:

Anyone using smbfs with Linux should upgrade as soon as possible
to the new kernels.


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBm4syb31XLTAExLwRAtnTAJ9R8g5O75dA1zHNAdvI3Q6QuHTjhACfUqd7
pD65DUSyi0vyGsfypop1NoI=
=KJBQ
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    10 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    34 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    14 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close