From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 06:16:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8487637B405; Mon, 7 Apr 2003 06:16:46 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42E5043F93; Mon, 7 Apr 2003 06:16:45 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h37DGiMF061323; Mon, 7 Apr 2003 09:16:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030407092210.06702ff8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 07 Apr 2003 09:23:03 -0400 To: security@FreeBSD.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Fwd: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote root compromise X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 13:16:46 -0000 FYI >Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list vulnwatch@vulnwatch.org >Delivered-To: moderator for vulnwatch@vulnwatch.org >Date: Mon, 7 Apr 2003 07:44:58 +0000 (UTC) >From: Erik Parker >X-X-Sender: Erik Parker >To: vulnwatch@vulnwatch.org >Subject: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote >root compromise > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >|------------------------------------------------------------------------------| > Digital Defense Inc. Security Advisory > DDI-1013 labs@digitaldefense.net > http://www.digitaldefense.net/ >|------------------------------------------------------------------------------| > >Synopsis : Buffer Overflow in Samba allows remote root compromise >Package : Samba, Samba-TNG >Type : Remote Root Compromise >Issue date : 04-07-2003 >Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10, < Samba-TNG 0.3.2 >Not Affected : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG >CVE Id : CAN-2003-0201 > >|------------------------------------------------------------------------------| > > >o Product description: > Samba is an Open Source/Free Software suite that provides seamless > file and > print services to SMB/CIFS clients. Samba-TNG was originally a fork off of > the Samba source tree, and aims at being a substitute for a Windows NT > domain > controller. > > >o Problem description: > An anonymous user can gain remote root access due to a buffer overflow > caused > by a StrnCpy() into a char array (fname) using a non-constant length > (namelen). > > StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */ > > In the call_trans2open function in trans2.c, the Samba StrnCpy function > copies pname into fname using namelen. The variable namelen is > assigned the > value of strlen(pname)+1, which causes the overflow. > > The variable 'fname' is a _typedef_ pstring, which is a char with a > size of > 1024. If pname is greater than 1024, you can overwrite almost anything you > want past the 1024th byte that fits inside of sizeof(pname), or the value > returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which > should > be around 2000 bytes. > > The Common Vulnerabilities and Exposures (CVE) project has assigned > the name > CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE > list (http://cve.mitre.org), which standardizes names for security > problems. > > >o Testing Environment: > Tested against source compiles and binary packages of Samba from version > 2.2.5 to 2.2.8 on the following x86 platforms: > > Redhat Linux 7.1, 7.3, 8.0 > Gentoo Linux 1.4-rc3 > SuSe Linux 7.3 > FreeBSD 4.6, 4.8, 5.0 > Solaris 9 > > >o Solutions and Workarounds: > Upgrading to the latest version of Samba or Samba-TNG is the recommended > solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG > version > 0.3.2 are not vulnerable. There will be no new releases for the 2.0 > line of > Samba code. The only fix for Samba 2.0 is to apply the patches that > Samba is > providing. > > A workaround in the current source code for this specific vulnerability > would be to modify the StrnCpy line found at line 250 in smbd/trans2.c > in the > Samba 2.2.8 source code: > > -StrnCpy(fname,pname,namelen); > +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1)); > > As a result of this vulnerability being identified at least three others > have also been found by the Samba team after reviewing similar usages > in the > source tree. One is a static overflow and the other two are heap > overflows. > Applying the fix above will only protect against the specific problem > identified in this advisory. To fully protect yourself, you must apply the > patches from Samba, or upgrade to 2.2.8a. > > Samba is available for download from: http://www.samba.org/ > Samba-TNG is available for download from: http://www.samba-tng.org/ > > >o Exploit: > An exploit named trans2root.pl has been posted on the Digital Defense, > Inc. > website. A quick udp based based scanner named nmbping.pl has also been > posted to assist you in identifying Samba servers on your network. > Both are > available for download from the following URL: > > http://www.digitaldefense.net/labs/securitytools.html > > This exploit works against all distributions listed in the testing > environment section. Usage is as follows: > > trans2root.pl -t -H -h > > This exploit should work against all x86 Linux, Solaris, and FreeBSD > hosts > running the 2.2.x branch of Samba. Hosts with a non-executable stack > are not > vulnerable to this particular exploit. The exploit will cause the > target host > to connect back to the host running the exploit and spawn a root shell > on the > defined port (default is 1981). > > The scanner is very easy to use, and should detect and identify Samba and > Windows SMB services. Usage is as follows: > > nmbping.pl > > >o Forced Release: > This vulnerability is being actively exploited in the wild. Digital > Defense, > Inc. discovered this bug by analyzing a packet capture of an attack > against a > host running Samba 2.2.8. The attack captured was performed on April 1st, > 2003. Samba users are urged to check their Samba servers for signs of > compromise. Samba and Digital Defense, Inc. decided to release their > advisories before all vendors had a chance to update their packages due to > this vulnerability being actively exploited. > > >o Revision History: > 04-07-2003 Initial public release > > Latest revision available at: > http://www.digitaldefense.net/labs/advisories.html > > >o Vendor Contact Information: > 04-03-2003 security@samba.org notified > 04-03-2003 elrond@samba-tng.org notified. > 04-03-2003 Samba Team responds via telephone, acknowledges > vulnerability > 04-03-2003 Elrond of Samba-TNG responds and acknowledges vulnerability > 04-04-2003 Samba Team notifies vendorsec mailing list > 04-07-2003 Initial public release > >o Thanks to: > Elrond of Samba-TNG, The Samba Security Team, and everyone on the > Digital Defense Inc., SECOPS team. > >-----BEGIN PGP SIGNATURE----- > >iD8DBQE+kT/5jB+XO4ZKjSARAsJpAJsH05MqOIqauWrK1kKOAkwmCsXorgCeK92r >eDEmOgRY4z7Y0b7HecHyf+A= >=Af+n >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike