[UNIX] Samba Services Remote Denial Of Service Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 09/14/04

  • Next message: SecuriTeam: "[UNIX] vBulletin SQL Injection While Verifying Subscription Information" 
    To: list@securiteam.com
Date: 14 Sep 2004 13:47:02 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Samba Services Remote Denial Of Service Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.samba.org/samba> Samba is an Open Source/Free Software suite
    that provides seamless file and print services to SMB/CIFS clients.

    A remote attacker is able to crash the Samba nmbd service thereby creating
    a denial of service condition. The attack is possible due to an input
    validation error. In addition, the Samba smbd service is vulnerable to a
    resource exhaustion attack resulting in denial of service.

    DETAILS

    Vulnerable Systems:
     * Samba nmbd and smbd services version 3.0.6 and prior

    Immune Systems:
     * Samba version 2.x

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807>
    CAN-2004-0807
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808>
    CAN-2004-0808

    Samba nmbd service DoS
    The nmbd is a server, typically listening on UDP port 138, understands and
    can reply to NetBIOS over IP name service requests and participates in the
    browsing protocols that comprise the Windows "Network Neighborhood" view.
    Due to an input validation error, a malformed UDP packet can cause the
    nmbd server to crash while attempting to access memory outside the scope
    of the application's memory image.

    The vulnerability exists in the process_logon_packet() function when it
    handles a SAM_UAS_CHANGE request. Part of this packet contains a count of
    the number of structures that follow. No check is made against the length
    of the packet to determine whether it is possible to have as many
    structures in it as it claims. If a large value is supplied, but a small
    number of structures are supplied, nmbd will reference memory outside of
    the packet it has been supplied. This may cause the nmbd process to crash.

    The following is a trace of exploitation, showing the server no longer
    responding to an nmblookup. The nmblookup tool is used to query NetBIOS
    names and map them to IP addresses:

    sh-2.05b$ nmblookup -A 10.1.0.240
    Looking up status of 10.1.0.240
            FEDORA1 <00> - B <ACTIVE>
            FEDORA1 <03> - B <ACTIVE>
            FEDORA1 <20> - B <ACTIVE>
            ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
            MYGROUP <00> - <GROUP> B <ACTIVE>
            MYGROUP <1b> - B <ACTIVE>
            MYGROUP <1c> - B <ACTIVE>
            MYGROUP <1e> - <GROUP> B <ACTIVE>
     
    sh-2.05b$ ./n 10.1.0.240 138 fedora1
     
    Samba 3.x nmbd remote DoS exploit (0day)
     
    Attacking 10.1.0.240:138 ..
    Done, nmbd should be killed now.
    sh-2.05b$ nmblookup -A 10.1.0.240
    Looking up status of 10.1.0.240
     
    sh-2.05b$

    This vulnerability is only exploitable if the daemon has been configured
    to process domain logons. This vulnerability does not allow arbitrary code
    execution. When the nmbd process dies, it no longer returns information
    about the server, and the host is no longer accessible by referencing its
    name.

    Additionally, the following line must be present in the smb.conf file
    which controls the configuration for Samba:
    'domain logons = yes'

    Samba smbd service DoS
    An unauthenticated remote user can cause a resource exhaustion attack by
    sending multiple malformed requests to an affected server. Each request
    spawns a new process, which enters an infinite loop. This attack takes
    very little bandwidth to cause the machine to stop responding. Each
    request from the exploit tested was only 358 bytes, and a RedHat Fedora
    Core 1 machine with 512 megabytes of RAM and 512 megabytes of swap took
    fewer than 4000 requests to render it unusable.

    Patch Availability:
    Although removing the 'domain logons = yes' line will solve the problem in
    nmbd, it will also affect the operation of Samba. For smbd, the only
    workaround is to either configure Samba with the "hosts allow" option,
    limiting access to trusted machines or using firewall rules.

    However, a patch file for Samba 3.0.5 addressing the bugs
    (samba-3.0.5-DoS.patch) can be downloaded from
    <http://download.samba.org/samba/ftp/patches/security/>
    http://download.samba.org/samba/ftp/patches/security/

    Disclosure Timeline
    09/02/2004 Initial vendor notification
    09/02/2004 iDEFENSE clients notified
    09/02/2004 Vendor response
    09/13/2004 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] vBulletin SQL Injection While Verifying Subscription Information"

    Relevant Pages