[Full-Disclosure] iDEFENSE Security Advisory 09.13.04a: Samba nmbd Invalid Length Denial of Service Vulnerability

idlabs-advisories_at_idefense.com
Date: 09/13/04

  • Next message: Kyle Maxwell: "Re: [Full-Disclosure] Daily mass scan from APNIC?" 
    To: <idlabs-advisories@idefense.com>
Date: Mon, 13 Sep 2004 10:47:16 -0400

    Samba nmbd Invalid Length Denial of Service Vulnerability

    iDEFENSE Security Advisory 09.13.04a
    www.idefense.com/application/poi/display?id=138&type=vulnerabilities
    September 13, 2004

    I. BACKGROUND

    Samba is a software suite that provides file and print services to
    SMB/CIFS clients, such as Microsoft Windows platforms. For more
    information see:

    http://www.samba.org/

    II. DESCRIPTION

    Remote exploitation of an input validation error in Samba allows an
    attacker to crash the Samba nmbd server. The nmbd is a server, typically
    listening on UDP port 138, understands and can reply to NetBIOS over IP
    name service requests, and participates in the browsing protocols that
    comprise the Windows "Network Neighborhood" view. Due to an input
    validation error, a malformed UDP packet can cause the nmbd server to
    crash while attempting to access memory outside of what is available.
    The vulnerability specifically exists in the process_logon_packet()
    function when it handles a SAM_UAS_CHANGE request. Part of this packet
    contains a count of the number of structures that follow. No check is
    made against the length of the packet to determine whether it is
    possible to have as many structures in it as it claims. If a large value
    is supplied, but a small number of structures are supplied, nmbd will
    reference memory outside of the packet it has been supplied. This may
    cause the nmbd process to crash.

    The following is a trace of exploitation, showing the server no longer
    responding to an nmblookup. The nmblookup tool is used to query NetBIOS
    names and map them to IP addresses.

    sh-2.05b$ nmblookup -A 10.1.0.240
    Looking up status of 10.1.0.240
            FEDORA1 <00> - B <ACTIVE>
            FEDORA1 <03> - B <ACTIVE>
            FEDORA1 <20> - B <ACTIVE>
            ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
            MYGROUP <00> - <GROUP> B <ACTIVE>
            MYGROUP <1b> - B <ACTIVE>
            MYGROUP <1c> - B <ACTIVE>
            MYGROUP <1e> - <GROUP> B <ACTIVE>
     
    sh-2.05b$ ./n 10.1.0.240 138 fedora1
     
    Samba 3.x nmbd remote DoS exploit (0day)
     
    Attacking 10.1.0.240:138 ..
    Done, nmbd should be killed now.
    sh-2.05b$ nmblookup -A 10.1.0.240
    Looking up status of 10.1.0.240
     
    sh-2.05b$

    III. ANALYSIS

    This vulnerability is only exploitable if the daemon has been configured
    to process domain logons. This vulnerability does not allow arbitrary
    code execution. When the nmbd process dies, it no longer returns
    information about the server, and the host is no longer accessible by
    referencing its name.

    IV. DETECTION

    iDEFENSE has confirmed Samba 3.0.2 is vulnerable. Analysis of the
    source suggests that version 3.0.4 is also vulnerable. Samba 2.x does
    not include the affected code and, therefore, is not affected by this
    vulnerability. The line 'domain logons = yes' must also occur in
    smb.conf for this issue to be exploitable. Note that removal of this
    line from the configuration file, although it will prevent exploitation,
    may also affect the Samba server's functionality.

    The vendor has confirmed that Samba 3.0.x prior to and including v3.0.6
    are vulnerable.

    V. WORKAROUND

    iDEFENSE is currently unaware of any effective workarounds for this
    issue. Removal of the line "domain logons = yes" from the smb.conf file
    for the server will prevent exploitation but may also affect the Samba
    server's functionality.

    VI. VENDOR RESPONSE

    The patch file for Samba 3.0.5 addressing [the] bug
    (samba-3.0.5-DoS.patch) can be downloaded from:

       http://download.samba.org/samba/ftp/patches/security/

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    names CAN-2004-0808 to these issues. This is a candidate for inclusion
    in the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VIII. DISCLOSURE TIMELINE

    09/02/2004 Initial vendor notification
    09/02/2004 iDEFENSE clients notified
    09/02/2004 Vendor response
    09/13/2004 Coordinated public disclosure

    IX. CREDIT

    The discoverer of this vulnerability wishes to remain anonymous.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    X. LEGAL NOTICES

    Copyright (c) 2004 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Kyle Maxwell: "Re: [Full-Disclosure] Daily mass scan from APNIC?"

    Relevant Pages