Fwd: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows
remote root compromise
Mike Tancsa
mike at sentex.net
Mon Apr 7 06:16:46 PDT 2003
FYI
>Mailing-List: contact vulnwatch-help at vulnwatch.org; run by ezmlm
>List-Post: <mailto:vulnwatch at vulnwatch.org>
>List-Help: <mailto:vulnwatch-help at vulnwatch.org>
>List-Unsubscribe: <mailto:vulnwatch-unsubscribe at vulnwatch.org>
>List-Subscribe: <mailto:vulnwatch-subscribe at vulnwatch.org>
>Delivered-To: mailing list vulnwatch at vulnwatch.org
>Delivered-To: moderator for vulnwatch at vulnwatch.org
>Date: Mon, 7 Apr 2003 07:44:58 +0000 (UTC)
>From: Erik Parker <erik.parker at digitaldefense.net>
>X-X-Sender: Erik Parker <erik.parker at digitaldefense.net>
>To: vulnwatch at vulnwatch.org
>Subject: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote
>root compromise
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>|------------------------------------------------------------------------------|
> Digital Defense Inc. Security Advisory
> DDI-1013 labs at digitaldefense.net
> http://www.digitaldefense.net/
>|------------------------------------------------------------------------------|
>
>Synopsis : Buffer Overflow in Samba allows remote root compromise
>Package : Samba, Samba-TNG
>Type : Remote Root Compromise
>Issue date : 04-07-2003
>Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10, < Samba-TNG 0.3.2
>Not Affected : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG
>CVE Id : CAN-2003-0201
>
>|------------------------------------------------------------------------------|
>
>
>o Product description:
> Samba is an Open Source/Free Software suite that provides seamless
> file and
> print services to SMB/CIFS clients. Samba-TNG was originally a fork off of
> the Samba source tree, and aims at being a substitute for a Windows NT
> domain
> controller.
>
>
>o Problem description:
> An anonymous user can gain remote root access due to a buffer overflow
> caused
> by a StrnCpy() into a char array (fname) using a non-constant length
> (namelen).
>
> StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */
>
> In the call_trans2open function in trans2.c, the Samba StrnCpy function
> copies pname into fname using namelen. The variable namelen is
> assigned the
> value of strlen(pname)+1, which causes the overflow.
>
> The variable 'fname' is a _typedef_ pstring, which is a char with a
> size of
> 1024. If pname is greater than 1024, you can overwrite almost anything you
> want past the 1024th byte that fits inside of sizeof(pname), or the value
> returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which
> should
> be around 2000 bytes.
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the name
> CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security
> problems.
>
>
>o Testing Environment:
> Tested against source compiles and binary packages of Samba from version
> 2.2.5 to 2.2.8 on the following x86 platforms:
>
> Redhat Linux 7.1, 7.3, 8.0
> Gentoo Linux 1.4-rc3
> SuSe Linux 7.3
> FreeBSD 4.6, 4.8, 5.0
> Solaris 9
>
>
>o Solutions and Workarounds:
> Upgrading to the latest version of Samba or Samba-TNG is the recommended
> solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG
> version
> 0.3.2 are not vulnerable. There will be no new releases for the 2.0
> line of
> Samba code. The only fix for Samba 2.0 is to apply the patches that
> Samba is
> providing.
>
> A workaround in the current source code for this specific vulnerability
> would be to modify the StrnCpy line found at line 250 in smbd/trans2.c
> in the
> Samba 2.2.8 source code:
>
> -StrnCpy(fname,pname,namelen);
> +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
>
> As a result of this vulnerability being identified at least three others
> have also been found by the Samba team after reviewing similar usages
> in the
> source tree. One is a static overflow and the other two are heap
> overflows.
> Applying the fix above will only protect against the specific problem
> identified in this advisory. To fully protect yourself, you must apply the
> patches from Samba, or upgrade to 2.2.8a.
>
> Samba is available for download from: http://www.samba.org/
> Samba-TNG is available for download from: http://www.samba-tng.org/
>
>
>o Exploit:
> An exploit named trans2root.pl has been posted on the Digital Defense,
> Inc.
> website. A quick udp based based scanner named nmbping.pl has also been
> posted to assist you in identifying Samba servers on your network.
> Both are
> available for download from the following URL:
>
> http://www.digitaldefense.net/labs/securitytools.html
>
> This exploit works against all distributions listed in the testing
> environment section. Usage is as follows:
>
> trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>
>
> This exploit should work against all x86 Linux, Solaris, and FreeBSD
> hosts
> running the 2.2.x branch of Samba. Hosts with a non-executable stack
> are not
> vulnerable to this particular exploit. The exploit will cause the
> target host
> to connect back to the host running the exploit and spawn a root shell
> on the
> defined port (default is 1981).
>
> The scanner is very easy to use, and should detect and identify Samba and
> Windows SMB services. Usage is as follows:
>
> nmbping.pl <network/cidr>
>
>
>o Forced Release:
> This vulnerability is being actively exploited in the wild. Digital
> Defense,
> Inc. discovered this bug by analyzing a packet capture of an attack
> against a
> host running Samba 2.2.8. The attack captured was performed on April 1st,
> 2003. Samba users are urged to check their Samba servers for signs of
> compromise. Samba and Digital Defense, Inc. decided to release their
> advisories before all vendors had a chance to update their packages due to
> this vulnerability being actively exploited.
>
>
>o Revision History:
> 04-07-2003 Initial public release
>
> Latest revision available at:
> http://www.digitaldefense.net/labs/advisories.html
>
>
>o Vendor Contact Information:
> 04-03-2003 security at samba.org notified
> 04-03-2003 elrond at samba-tng.org notified.
> 04-03-2003 Samba Team responds via telephone, acknowledges
> vulnerability
> 04-03-2003 Elrond of Samba-TNG responds and acknowledges vulnerability
> 04-04-2003 Samba Team notifies vendorsec mailing list
> 04-07-2003 Initial public release
>
>o Thanks to:
> Elrond of Samba-TNG, The Samba Security Team, and everyone on the
> Digital Defense Inc., SECOPS team.
>
>-----BEGIN PGP SIGNATURE-----
>
>iD8DBQE+kT/5jB+XO4ZKjSARAsJpAJsH05MqOIqauWrK1kKOAkwmCsXorgCeK92r
>eDEmOgRY4z7Y0b7HecHyf+A=
>=Af+n
>-----END PGP SIGNATURE-----
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the freebsd-security
mailing list