[VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote root compromise

From: Erik Parker (erik.parker@digitaldefense.net)
Date: 04/07/03

  • Next message: @stake Advisories: "[VulnWatch] Vignette Story Server sensitive information disclosure (a040703-1)"
    Date: Mon, 7 Apr 2003 07:44:58 +0000 (UTC)
    From: Erik Parker <erik.parker@digitaldefense.net>
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    |------------------------------------------------------------------------------|
     Digital Defense Inc. Security Advisory DDI-1013 labs@digitaldefense.net
     http://www.digitaldefense.net/
    |------------------------------------------------------------------------------|

    Synopsis : Buffer Overflow in Samba allows remote root compromise
    Package : Samba, Samba-TNG
    Type : Remote Root Compromise
    Issue date : 04-07-2003
    Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10, < Samba-TNG 0.3.2
    Not Affected : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG
    CVE Id : CAN-2003-0201

    |------------------------------------------------------------------------------|

    o Product description:
       Samba is an Open Source/Free Software suite that provides seamless file and
       print services to SMB/CIFS clients. Samba-TNG was originally a fork off of
       the Samba source tree, and aims at being a substitute for a Windows NT domain
       controller.

    o Problem description:
       An anonymous user can gain remote root access due to a buffer overflow caused
       by a StrnCpy() into a char array (fname) using a non-constant length
       (namelen).

       StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */

       In the call_trans2open function in trans2.c, the Samba StrnCpy function
       copies pname into fname using namelen. The variable namelen is assigned the
       value of strlen(pname)+1, which causes the overflow.

       The variable 'fname' is a _typedef_ pstring, which is a char with a size of
       1024. If pname is greater than 1024, you can overwrite almost anything you
       want past the 1024th byte that fits inside of sizeof(pname), or the value
       returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which should
       be around 2000 bytes.

       The Common Vulnerabilities and Exposures (CVE) project has assigned the name
       CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE
       list (http://cve.mitre.org), which standardizes names for security problems.

    o Testing Environment:
       Tested against source compiles and binary packages of Samba from version
       2.2.5 to 2.2.8 on the following x86 platforms:

       Redhat Linux 7.1, 7.3, 8.0
       Gentoo Linux 1.4-rc3
       SuSe Linux 7.3
       FreeBSD 4.6, 4.8, 5.0
       Solaris 9

    o Solutions and Workarounds:
       Upgrading to the latest version of Samba or Samba-TNG is the recommended
       solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG version
       0.3.2 are not vulnerable. There will be no new releases for the 2.0 line of
       Samba code. The only fix for Samba 2.0 is to apply the patches that Samba is
       providing.

       A workaround in the current source code for this specific vulnerability
       would be to modify the StrnCpy line found at line 250 in smbd/trans2.c in the
       Samba 2.2.8 source code:

       -StrnCpy(fname,pname,namelen);
       +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));

       As a result of this vulnerability being identified at least three others
       have also been found by the Samba team after reviewing similar usages in the
       source tree. One is a static overflow and the other two are heap overflows.
       Applying the fix above will only protect against the specific problem
       identified in this advisory. To fully protect yourself, you must apply the
       patches from Samba, or upgrade to 2.2.8a.

       Samba is available for download from: http://www.samba.org/
       Samba-TNG is available for download from: http://www.samba-tng.org/

    o Exploit:
       An exploit named trans2root.pl has been posted on the Digital Defense, Inc.
       website. A quick udp based based scanner named nmbping.pl has also been
       posted to assist you in identifying Samba servers on your network. Both are
       available for download from the following URL:

       http://www.digitaldefense.net/labs/securitytools.html

       This exploit works against all distributions listed in the testing
       environment section. Usage is as follows:

       trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>

       This exploit should work against all x86 Linux, Solaris, and FreeBSD hosts
       running the 2.2.x branch of Samba. Hosts with a non-executable stack are not
       vulnerable to this particular exploit. The exploit will cause the target host
       to connect back to the host running the exploit and spawn a root shell on the
       defined port (default is 1981).

       The scanner is very easy to use, and should detect and identify Samba and
       Windows SMB services. Usage is as follows:

       nmbping.pl <network/cidr>

    o Forced Release:
       This vulnerability is being actively exploited in the wild. Digital Defense,
       Inc. discovered this bug by analyzing a packet capture of an attack against a
       host running Samba 2.2.8. The attack captured was performed on April 1st,
       2003. Samba users are urged to check their Samba servers for signs of
       compromise. Samba and Digital Defense, Inc. decided to release their
       advisories before all vendors had a chance to update their packages due to
       this vulnerability being actively exploited.

    o Revision History:
       04-07-2003 Initial public release

       Latest revision available at:
       http://www.digitaldefense.net/labs/advisories.html

    o Vendor Contact Information:
       04-03-2003 security@samba.org notified
       04-03-2003 elrond@samba-tng.org notified.
       04-03-2003 Samba Team responds via telephone, acknowledges vulnerability
       04-03-2003 Elrond of Samba-TNG responds and acknowledges vulnerability
       04-04-2003 Samba Team notifies vendorsec mailing list
       04-07-2003 Initial public release

    o Thanks to:
       Elrond of Samba-TNG, The Samba Security Team, and everyone on the
       Digital Defense Inc., SECOPS team.

    -----BEGIN PGP SIGNATURE-----

    iD8DBQE+kT/5jB+XO4ZKjSARAsJpAJsH05MqOIqauWrK1kKOAkwmCsXorgCeK92r
    eDEmOgRY4z7Y0b7HecHyf+A=
    =Af+n
    -----END PGP SIGNATURE-----


  • Next message: @stake Advisories: "[VulnWatch] Vignette Story Server sensitive information disclosure (a040703-1)"