[UNIX] Samba 3.x QFILEPATHINFO Unicode Filename Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 11/15/04

  • Next message: SecuriTeam: "[NT] Multiple vulnerabilities in Hired Team: Trial"
    To: list@securiteam.com
    Date: 15 Nov 2004 19:58:21 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Samba 3.x QFILEPATHINFO Unicode Filename Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Samba is an Open Source/Free Software suite that provides seamless file
    and print services to SMB/CIFS clients. Samba is freely available under
    the GNU General Public License.

    During an audit of the Samba 3.x codebase a Unicode filename buffer
    overflow within the handling of TRANSACT2_QFILEPATHINFO replies was
    discovered that allows remote execution of arbitrary code.

    Exploiting this vulnerability is possible through every Samba user if a
    special crafted pathname exists. If such a path does not exist the
    attacker needs write access to one of the network shares.

    DETAILS

    Vulnerable Systems:
     * Samba version 3.0.7 and prior

    Immune Systems:
     * Samba version 3.0.8 or newer

    The SMB specification allows clients to specify a maximum amount of data
    bytes that the server is allowed to return in a single reply.

    When Samba 3.x receives a TRANSACT2_QFILEPATHINFO request with this field
    set to f.e. zero this can lead to an overflow of a Unicode filename when
    constructing the reply.

    This is caused by the fact that Samba <= 3.0.7 reads this field, allocates
    1024 bytes more than wanted and then writes the reply into this buffer
    without any kind of size check. While this behavior was sufficient enough
    to protect against overflows in Samba 2.x the correction of the replies
    for the info_levels SMB_QUERY_FILE_NAME_INFO and SMB_QUERY_FILE_ALL_INFO
    to Unicode full pathname strings allows overflowing the reserved buffer
    size.

    By using Unicode chars within filenames this allows to overwrite
    malloc()/free() control structures and therefore allows remote code
    execution.

    Disclosure Timeline:
    24. September 2004 - Made initial contact with the Samba Team
    25. September 2004 - Samba Team has fixed the bug in CVS
    26. September 2004 - Disclosure was delayed on our side because of another
    issue that was suppossed to get disclosed at the same time
    08. November 2004 - Samba Team released 3.0.8 without noticing us because
    they were wrongly convinced that the bug is not exploitable
    15. November 2004 - Public Disclosure

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882>
    CAN-2004-0882

    Recommendation:
    Unlike several other Samba vulnerabilities within the last months this
    vulnerability affects default installations of Samba 3.x and therefore any
    user of Samba 3 <= 3.0.7 should upgrade as soon as possible.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:s.esser@e-matters.de> Stefan
    Esser.
    The original article can be found at:
    <http://security.e-matters.de/advisories/132004.html>
    http://security.e-matters.de/advisories/132004.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Multiple vulnerabilities in Hired Team: Trial"

    Relevant Pages

    • [UNIX] Samba SAMR Change Password Command Injection Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of a command injection vulnerability within Samba ... arbitrary shell commands with the privileges of the nobody user. ...
      (Securiteam)
    • [UNIX] Samba 3.x SWAT Preauthentication Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... exists a remote pre-authentication buffer overflow in Samba 3.x SWAT ... 29 April 2004 - vulnerability details has been made available to VulnDisco ... The technical details and exploit code have been provided by ...
      (Securiteam)
    • [UNIX] Samba Services Remote Denial Of Service Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker is able to crash the Samba nmbd service thereby creating ... sending multiple malformed requests to an affected server. ...
      (Securiteam)
    • [UNIX] Samba smbd Security Descriptor Integer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of an integer overflow vulnerability in all versions ... * Samba version 3.0.8 ... An attacker could supply data to the server which would cause the heap to ...
      (Securiteam)
    • [UNIX] Samba Arbitrary File Access Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of an input validation vulnerability in Samba allows ... Successful exploitation allows remote attackers to bypass the specified ...
      (Securiteam)