SecurityTracker.com Archives - Linux Kernel Buffer Overflow in CIFS VFS May Let Remote Authenticated Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (Linux) > Linux Kernel

Vendors: kernel.org

Linux Kernel Buffer Overflow in CIFS VFS May Let Remote Authenticated Users Execute Arbitrary Code

SecurityTracker Alert ID: 1019612

SecurityTracker URL: http://securitytracker.com/id?1019612

CVE Reference: CVE-2007-5904 (Links to External Site)

Date: Mar 14 2008

Impact: Denial of service via network, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.6.23.1

Description: A vulnerability was reported in the Linux kernel. A remote authenticated user may be able to execute arbitrary code on the target system.

A remote authenticated user can send specially crafted data to trigger a buffer overflow in the SendReceive() function in 'transport.c' to cause the target system to crash.

It may be possible to execute arbitrary code on the target system.

Przemyslaw Wegrzyn reported this vulnerability in November 2007.

Impact: A remote authenticated user can cause denial of service conditions.

A remote authenticated user may be able to execute arbitrary code on the target system.

Solution: The vendor has issued a source code fix, available at:

http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=tree;h=b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b;hb=133672efbc1085f9af990bdc145e1822ea93bcf3

Vendor URL: www.kernel.org/ (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Caldera/SCO), Linux (Conectiva), Linux (Debian), Linux (EnGarde), Linux (Gentoo), Linux (HP Secure OS), Linux (Immunix), Linux (Mandriva/Mandrake), Linux (Progeny Debian), Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (Red Hat Linux), Linux (SGI), Linux (Slackware), Linux (Sun), Linux (SuSE), Linux (Trustix), Linux (Turbo Linux), Linux (Ubuntu), Linux (Xandros)

Reported By: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>

Message History: This archive entry has one or more follow-up message(s) listed below.

Mar 14 2008

(Red Hat Issues Fix) Linux Kernel Buffer Overflow in CIFS VFS May Let Remote Authenticated Users Execute Arbitrary Code (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.

Source Message Contents

Date: 2007-11-08 21:20:03
From: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Subject: Buffer overflow in CIFS VFS.

 
Hello all,
 
I was looking at CIFS VFS code recently, trying to solve other issue,
just to find something that looks like a buffer overflow  bug.
The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers.
 
To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon
unmounting.
 
I've done a quick fix, available here:
http://czajnick.sitenet.pl/cifs-buffer-overflow-fix.patch.gz
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC