Date: Mon, 07 Apr 2003 09:23:03 -0400 From: Mike Tancsa <mike@sentex.net> To: security@FreeBSD.org Subject: Fwd: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote root compromise Message-ID: <5.2.0.9.0.20030407092210.06702ff8@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
FYI >Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm >List-Post: <mailto:vulnwatch@vulnwatch.org> >List-Help: <mailto:vulnwatch-help@vulnwatch.org> >List-Unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org> >List-Subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org> >Delivered-To: mailing list vulnwatch@vulnwatch.org >Delivered-To: moderator for vulnwatch@vulnwatch.org >Date: Mon, 7 Apr 2003 07:44:58 +0000 (UTC) >From: Erik Parker <erik.parker@digitaldefense.net> >X-X-Sender: Erik Parker <erik.parker@digitaldefense.net> >To: vulnwatch@vulnwatch.org >Subject: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote >root compromise > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >|------------------------------------------------------------------------------| > Digital Defense Inc. Security Advisory > DDI-1013 labs@digitaldefense.net > http://www.digitaldefense.net/ >|------------------------------------------------------------------------------| > >Synopsis : Buffer Overflow in Samba allows remote root compromise >Package : Samba, Samba-TNG >Type : Remote Root Compromise >Issue date : 04-07-2003 >Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10, < Samba-TNG 0.3.2 >Not Affected : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG >CVE Id : CAN-2003-0201 > >|------------------------------------------------------------------------------| > > >o Product description: > Samba is an Open Source/Free Software suite that provides seamless > file and > print services to SMB/CIFS clients. Samba-TNG was originally a fork off of > the Samba source tree, and aims at being a substitute for a Windows NT > domain > controller. > > >o Problem description: > An anonymous user can gain remote root access due to a buffer overflow > caused > by a StrnCpy() into a char array (fname) using a non-constant length > (namelen). > > StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */ > > In the call_trans2open function in trans2.c, the Samba StrnCpy function > copies pname into fname using namelen. The variable namelen is > assigned the > value of strlen(pname)+1, which causes the overflow. > > The variable 'fname' is a _typedef_ pstring, which is a char with a > size of > 1024. If pname is greater than 1024, you can overwrite almost anything you > want past the 1024th byte that fits inside of sizeof(pname), or the value > returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which > should > be around 2000 bytes. > > The Common Vulnerabilities and Exposures (CVE) project has assigned > the name > CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE > list (http://cve.mitre.org), which standardizes names for security > problems. > > >o Testing Environment: > Tested against source compiles and binary packages of Samba from version > 2.2.5 to 2.2.8 on the following x86 platforms: > > Redhat Linux 7.1, 7.3, 8.0 > Gentoo Linux 1.4-rc3 > SuSe Linux 7.3 > FreeBSD 4.6, 4.8, 5.0 > Solaris 9 > > >o Solutions and Workarounds: > Upgrading to the latest version of Samba or Samba-TNG is the recommended > solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG > version > 0.3.2 are not vulnerable. There will be no new releases for the 2.0 > line of > Samba code. The only fix for Samba 2.0 is to apply the patches that > Samba is > providing. > > A workaround in the current source code for this specific vulnerability > would be to modify the StrnCpy line found at line 250 in smbd/trans2.c > in the > Samba 2.2.8 source code: > > -StrnCpy(fname,pname,namelen); > +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1)); > > As a result of this vulnerability being identified at least three others > have also been found by the Samba team after reviewing similar usages > in the > source tree. One is a static overflow and the other two are heap > overflows. > Applying the fix above will only protect against the specific problem > identified in this advisory. To fully protect yourself, you must apply the > patches from Samba, or upgrade to 2.2.8a. > > Samba is available for download from: http://www.samba.org/ > Samba-TNG is available for download from: http://www.samba-tng.org/ > > >o Exploit: > An exploit named trans2root.pl has been posted on the Digital Defense, > Inc. > website. A quick udp based based scanner named nmbping.pl has also been > posted to assist you in identifying Samba servers on your network. > Both are > available for download from the following URL: > > http://www.digitaldefense.net/labs/securitytools.html > > This exploit works against all distributions listed in the testing > environment section. Usage is as follows: > > trans2root.pl <options> -t <target type> -H <your ip> -h <target ip> > > This exploit should work against all x86 Linux, Solaris, and FreeBSD > hosts > running the 2.2.x branch of Samba. Hosts with a non-executable stack > are not > vulnerable to this particular exploit. The exploit will cause the > target host > to connect back to the host running the exploit and spawn a root shell > on the > defined port (default is 1981). > > The scanner is very easy to use, and should detect and identify Samba and > Windows SMB services. Usage is as follows: > > nmbping.pl <network/cidr> > > >o Forced Release: > This vulnerability is being actively exploited in the wild. Digital > Defense, > Inc. discovered this bug by analyzing a packet capture of an attack > against a > host running Samba 2.2.8. The attack captured was performed on April 1st, > 2003. Samba users are urged to check their Samba servers for signs of > compromise. Samba and Digital Defense, Inc. decided to release their > advisories before all vendors had a chance to update their packages due to > this vulnerability being actively exploited. > > >o Revision History: > 04-07-2003 Initial public release > > Latest revision available at: > http://www.digitaldefense.net/labs/advisories.html > > >o Vendor Contact Information: > 04-03-2003 security@samba.org notified > 04-03-2003 elrond@samba-tng.org notified. > 04-03-2003 Samba Team responds via telephone, acknowledges > vulnerability > 04-03-2003 Elrond of Samba-TNG responds and acknowledges vulnerability > 04-04-2003 Samba Team notifies vendorsec mailing list > 04-07-2003 Initial public release > >o Thanks to: > Elrond of Samba-TNG, The Samba Security Team, and everyone on the > Digital Defense Inc., SECOPS team. > >-----BEGIN PGP SIGNATURE----- > >iD8DBQE+kT/5jB+XO4ZKjSARAsJpAJsH05MqOIqauWrK1kKOAkwmCsXorgCeK92r >eDEmOgRY4z7Y0b7HecHyf+A= >=Af+n >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030407092210.06702ff8>