[UNIX] Buffer Overflow in Samba allows remote root compromise
From: support@securiteam.com
Date: 04/09/03
- Previous message: support@securiteam.com: "[NEWS] Seti@home information leakage and remote compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 9 Apr 2003 22:42:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Buffer Overflow in Samba allows remote root compromise
------------------------------------------------------------------------
SUMMARY
Samba is an Open Source/Free Software suite that provides seamless file
and print services to SMB/CIFS clients. Samba-TNG was originally a fork
off of the Samba source tree, and aims at being a substitute for a Windows
NT domain controller.
A buffer overflow vulnerability in the Samba daemon allows an attacker to
gain remote root access.
DETAILS
An anonymous user can gain remote root access due to a buffer overflow
caused by a StrnCpy() into a char array (fname) using a non-constant
length (namelen).
StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */
In the call_trans2open function in trans2.c, the Samba StrnCpy function
copies pname into fname using namelen. The variable namelen is assigned
the value of strlen(pname)+1, which causes the overflow.
The variable 'fname' is a _typedef_ pstring, which is a char with a size
of 1024. If pname is greater than 1024, you can overwrite almost anything
you want past the 1024th byte that fits inside of sizeof(pname), or the
value returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(),
which should be around 2000 bytes.
CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0201 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.
Solutions and workarounds:
Upgrading to the latest version of Samba or Samba-TNG is the recommended
solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG
version 0.3.2 are not vulnerable. There will be no new releases for the
2.0 line of Samba code. The only fix for Samba 2.0 is to apply the patches
that Samba is providing.
A workaround in the current source code for this specific vulnerability
would be to modify the StrnCpy line found at line 250 in smbd/trans2.c in
the Samba 2.2.8 source code:
-StrnCpy(fname,pname,namelen);
+StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
As a result of this vulnerability being identified at least three others
have also been found by the Samba team after reviewing similar usages in
the source tree. One is a static overflow and the other two are heap
overflows. Applying the fix above will only protect against the specific
problem identified in this advisory. To fully protect yourself, you must
apply the patches from Samba, or upgrade to 2.2.8a.
Samba is available for download from: <http://www.samba.org/>
http://www.samba.org/
Samba-TNG is available for download from: <http://www.samba-tng.org/>
http://www.samba-tng.org/
Vendor status:
Vendor notified.
All major software vendors published fix packages.
ADDITIONAL INFORMATION
The original security advisory was distributed by Digital Defense Inc and
can be found at:
<http://www.digitaldefense.net/labs/advisories/DDI-1013.txt>
http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Seti@home information leakage and remote compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
