what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

132004.txt

132004.txt
Posted Nov 20, 2004
Authored by Stefan Esser | Site security.e-matters.de

Samba versions 3 through 3.0.7 suffer from a buffer overflow inside the QFILEPATHINFO request handler. This vulnerability allows for remote code execution.

tags | advisory, remote, overflow, code execution
advisories | CVE-2004-0882
SHA-256 | 19cd039a672527a6b47d2c45a1745de3a774b639ca25e062a5e1932683d23767

132004.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: Samba 3.x QFILEPATHINFO unicode filename buffer overflow
Release Date: 2004/11/15
Last Modified: 2004/11/15
Author: Stefan Esser [s.esser@e-matters.de]

Application: Samba 3 <= 3.0.7
Severity: A buffer overflow inside the QFILEPATHINFO request
handler allows remote code execution
Risk: Critical
Vendor Status: Vendor has released a bugfixed version.
Reference: http://security.e-matters.de/advisories/132004.html


Overview:

Samba is an Open Source/Free Software suite that provides seamless
file and print services to SMB/CIFS clients. Samba is freely
available under the GNU General Public License.

During an audit of the Samba 3.x codebase a unicode filename buffer
overflow within the handling of TRANSACT2_QFILEPATHINFO replies
was discovered that allows remote execution of arbitrary code.

Exploiting this vulnerability is possible through every Samba user
if a special crafted pathname exists. If such a path does not exist
the attacker needs write access to one of the network shares.


Details:

The SMB specification allows clients to specify a maximum amount
of data bytes that the server is allowed to return in a single
reply.

When Samba 3.x receives a TRANSACT2_QFILEPATHINFO request with
this field set to f.e. zero this can lead to an overflow of a
unicode filename when constructing the reply.

This is caused by the fact that Samba <= 3.0.7 reads this field,
allocates 1024 bytes more than wanted and then writes the reply
into this buffer without any kind of size check. While this
behaviour was sufficient enough to protect against overflows in
Samba 2.x the correction of the replies for the info_levels
SMB_QUERY_FILE_NAME_INFO and SMB_QUERY_FILE_ALL_INFO to unicode
full pathname strings allows overflowing the reserved buffer
size.

By using unicode chars within filenames this allows to overwrite
malloc()/free() control structures and therefore allows remote
code execution.


Proof of Concept:

e-matters is not going to release an exploit for this vulnerability
to the public.


Disclosure Timeline:

24. September 2004 - Made initial contact with the Samba Team
25. September 2004 - Samba Team has fixed the bug in CVS
26. September 2004 - Disclosure was delayed on our side because
of another issue that was suppossed to get
disclosed at the same time
08. November 2004 - Samba Team released 3.0.8 without noticing
us because they were wrongly convinced
that the bug is not exploitable
15. November 2004 - Public Disclosure


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0882 to this issue.


Recommendation:

Unlike several other Samba vulnerabilities within the last months
this vulnerability affects default installations of Samba 3.x and
therefore any user of Samba 3 <= 3.0.7 should upgrade as soon as
possible.


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBlTi8RDkUzAqGSqERAgipAKDLBKcBSdSPXRg94sBwgbuxgKph4QCfU6mu
KHJN/8BSRM2Z7N8GqdfEXfk=
=X6Vs
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close