Security Advisory 14/2004

A security audit of the smb filesystem implementation within Linux 2.x has revealed several remotely exploitable vulnerabilities that could leak portions of kernel memory to the attacker or could result in kernel crashs.

Advisory 14/2004
Linux 2.x smbfs multiple remote vulnerabilities

 

Release Date: 2004/11/17
Author: Stefan Esser
Application: Linux 2.x <= 2.4.27, Linux 2.7 <= 2.6.9
Severity: Several vulnerabilities within smbfs allow crashing the kernel or leaking kernel memory with the help of the smb server
Risk: Moderately Critical
Last Modified:   2004/11/17

 

Overview

Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance.

During an audit of the smb filesystem implementation within Linux several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows.

To exploit any of these vulnerabilities an attacker needs control over the answers of the connected smb server. This could be achieved by man in the middle attacks or by taking over the smb server with f.e. the recently disclosed vulnerability in Samba 3.x

While any of these vulnerabilities can be easily used as remote denial of service exploits against Linux systems, it is unclear if it is possible for a skilled local or remote attacker to use any of the possible bufferoverflows for arbitrary code execution in kernel space.

 

Details

[ 01 - smb_proc_read(X) malicious data count overflow ]
  
Affected Kernels: 2.4
  
When receiving the answer to a read(X) request the Linux 2.4 kernel trusts the returned data count and copies exactly that amound of bytes into the output buffer. This means any call to the read syscall on a smb filesystem could result in an overflow withing kernel memory if the connected smb server returns more data than requested. While this is a trivial to exploit DOS vulnerability it is unclear if it can be used by a skilled attacker to execute arbitrary code.
[ 02 - smb_proc_readX malicious data offset information leak ]
  
Affected Kernels: 2.4
  
When receiving the answer to a readX request the Linux 2.4 kernel does not properly bounds check the supplied data offset. The check in place can fail because of a signedness issue. This means that a local attacker can leak kernel memory simply by issuing the read syscall on a smb filesystem when the connected server returns a data offset from outside the packet. This can of course also lead to a kernel crash when unallocated memory is accessed.
[ 03 - smb_receive_trans2 defragmentation overflow ]
  
Affected Kernels: 2.4
  
At the end of the TRANS2 defragmentation process the complete packet is moved to another place if a certain condition is true. In combination with [07] and the fact that the counters are not bounds checked befory coyping the data this can result in a kernel memory overflow.
[ 04 - smb_proc_readX_data malicious data offset DOS ]
  
Affected Kernels: 2.6
  
The server supplied data offset is decremented by the header size and then used as offset within the packet. While the supplied offset is checked against an upper bound it may have underflowed and therefore point outside the allocated memory. Any access to that memory could result in a crash.
[ 05 - smb_receive_trans2 malicious parm/data offset info leak/DOS ]
 
Affected Kernels: 2.4, 2.6
  
Both versions of the kernel do not properly bounds check the server supplied packet based offset of the parameters/data sent. This results in smbfs copying data from memory outside the received smb fragment into the receiving buffer. This can leak kernel memory to the calling function or result in a DOS because of accesses to unallocated memory.
[ 06 - smb_recv_trans2 missing fragment information leak ]
  
Affected Kernels: 2.4, 2.6
  
The defragmentation process of TRANS2 SMB packets does not properly initialize the receiving buffer. An attacker may f.e. send several thousand times the first byte of a packet until the received data count reaches the expected total and so leakes the rest of the uninitialised receiving buffer to the calling function.
[ 07 - smb_recv_trans2 fragment resending leads to invalid counters ]
  
Affected Kernels: 2.4, 2.6
  
The defragmentation termination condition is that atleast the expected parameter count and at least the expected data count is reached. By using the fragment resending technique an attacker can increase one of those counters to an arbitrary high value.

 

Proof of Concept

e-matters is not going to release exploits for any of these vulnerabilities to the public.

 

Disclosure Timeline

25. Sep 2004 Made initial contact with the Linux Developers
27. Sep 2004 Contacted vendor-sec about this issue
22. Oct 2004 Sent the 2nd round of smbfs vulnerabilities to both parties
27. Oct 2004 Sent final patchset for 2.4 and 2.6 kernel to the developers
11. Nov 2004 Linux 2.4.28-rc3 containing the final patchset was made available by the developers
17. Nov 2004 Linux 2.4.28 released
17. Nov 2004 Public Disclosure

 

CVE Information

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0883 to the issues 01-05 and the name CAN-2004-0949 to the issues 06, 07.

 

Recommendation

Anyone using smbfs with Linux should upgrade as soon as possible to the new kernels.