|
Brought to you by:
Suppliers of:
|
|
|
| |
Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba-TNG was originally a fork off of the Samba source tree, and aims at being a substitute for a Windows NT domain controller.
A buffer overflow vulnerability in the Samba daemon allows an attacker to gain remote root access. |
| |
Credit:
The original security advisory was distributed by Digital Defense Inc and can be found at: http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
|
| |
An anonymous user can gain remote root access due to a buffer overflow caused by a StrnCpy() into a char array (fname) using a non-constant length (namelen).
StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */
In the call_trans2open function in trans2.c, the Samba StrnCpy function copies pname into fname using namelen. The variable namelen is assigned the value of strlen(pname)+1, which causes the overflow.
The variable 'fname' is a _typedef_ pstring, which is a char with a size of 1024. If pname is greater than 1024, you can overwrite almost anything you want past the 1024th byte that fits inside of sizeof(pname), or the value returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which should be around 2000 bytes.
CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Solutions and workarounds:
Upgrading to the latest version of Samba or Samba-TNG is the recommended solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG version 0.3.2 are not vulnerable. There will be no new releases for the 2.0 line of Samba code. The only fix for Samba 2.0 is to apply the patches that Samba is providing.
A workaround in the current source code for this specific vulnerability would be to modify the StrnCpy line found at line 250 in smbd/trans2.c in the Samba 2.2.8 source code:
-StrnCpy(fname,pname,namelen);
+StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
As a result of this vulnerability being identified at least three others have also been found by the Samba team after reviewing similar usages in the source tree. One is a static overflow and the other two are heap overflows. Applying the fix above will only protect against the specific problem identified in this advisory. To fully protect yourself, you must apply the patches from Samba, or upgrade to 2.2.8a.
Samba is available for download from: http://www.samba.org/
Samba-TNG is available for download from: http://www.samba-tng.org/
Vendor status:
Vendor notified.
All major software vendors published fix packages.
|
|
|
|
|
