|
|
| |
Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available under the GNU General Public License.
During an audit of the Samba 3.x codebase a Unicode filename buffer overflow within the handling of TRANSACT2_QFILEPATHINFO replies was discovered that allows remote execution of arbitrary code.
Exploiting this vulnerability is possible through every Samba user if a special crafted pathname exists. If such a path does not exist the attacker needs write access to one of the network shares. |
| |
Credit:
The information has been provided by Stefan Esser.
The original article can be found at: http://security.e-matters.de/advisories/132004.html
|
| |
Vulnerable Systems:
* Samba version 3.0.7 and prior
Immune Systems:
* Samba version 3.0.8 or newer
The SMB specification allows clients to specify a maximum amount of data bytes that the server is allowed to return in a single reply.
When Samba 3.x receives a TRANSACT2_QFILEPATHINFO request with this field set to f.e. zero this can lead to an overflow of a Unicode filename when constructing the reply.
This is caused by the fact that Samba <= 3.0.7 reads this field, allocates 1024 bytes more than wanted and then writes the reply into this buffer without any kind of size check. While this behavior was sufficient enough to protect against overflows in Samba 2.x the correction of the replies for the info_levels SMB_QUERY_FILE_NAME_INFO and SMB_QUERY_FILE_ALL_INFO to Unicode full pathname strings allows overflowing the reserved buffer size.
By using Unicode chars within filenames this allows to overwrite malloc()/free() control structures and therefore allows remote code execution.
Disclosure Timeline:
24. September 2004 - Made initial contact with the Samba Team
25. September 2004 - Samba Team has fixed the bug in CVS
26. September 2004 - Disclosure was delayed on our side because of another issue that was suppossed to get disclosed at the same time
08. November 2004 - Samba Team released 3.0.8 without noticing us because they were wrongly convinced that the bug is not exploitable
15. November 2004 - Public Disclosure
CVE Information:
CAN-2004-0882
Recommendation:
Unlike several other Samba vulnerabilities within the last months this vulnerability affects default installations of Samba 3.x and therefore any user of Samba 3 <= 3.0.7 should upgrade as soon as possible.
|
|
|
