Date: 14 Sep 2004 13:47:02 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Samba Services Remote Denial Of Service Vulnerabilities
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Samba Services Remote Denial Of Service Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.samba.org/samba>; Samba is an Open Source/Free Software suite
that provides seamless file and print services to SMB/CIFS clients.
A remote attacker is able to crash the Samba nmbd service thereby creating
a denial of service condition. The attack is possible due to an input
validation error. In addition, the Samba smbd service is vulnerable to a
resource exhaustion attack resulting in denial of service.
DETAILS
Vulnerable Systems:
* Samba nmbd and smbd services version 3.0.6 and prior
Immune Systems:
* Samba version 2.x
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807>;
CAN-2004-0807
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808>;
CAN-2004-0808
Samba nmbd service DoS
The nmbd is a server, typically listening on UDP port 138, understands and
can reply to NetBIOS over IP name service requests and participates in the
browsing protocols that comprise the Windows "Network Neighborhood" view.
Due to an input validation error, a malformed UDP packet can cause the
nmbd server to crash while attempting to access memory outside the scope
of the application's memory image.
The vulnerability exists in the process_logon_packet() function when it
handles a SAM_UAS_CHANGE request. Part of this packet contains a count of
the number of structures that follow. No check is made against the length
of the packet to determine whether it is possible to have as many
structures in it as it claims. If a large value is supplied, but a small
number of structures are supplied, nmbd will reference memory outside of
the packet it has been supplied. This may cause the nmbd process to crash.
The following is a trace of exploitation, showing the server no longer
responding to an nmblookup. The nmblookup tool is used to query NetBIOS
names and map them to IP addresses:
sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
FEDORA1 <00> - B <ACTIVE>
FEDORA1 <03> - B <ACTIVE>
FEDORA1 <20> - B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
MYGROUP <00> - <GROUP> B <ACTIVE>
MYGROUP <1b> - B <ACTIVE>
MYGROUP <1c> - B <ACTIVE>
MYGROUP <1e> - <GROUP> B <ACTIVE>
sh-2.05b$ ./n 10.1.0.240 138 fedora1
Samba 3.x nmbd remote DoS exploit (0day)
Attacking 10.1.0.240:138 ..
Done, nmbd should be killed now.
sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
sh-2.05b$
This vulnerability is only exploitable if the daemon has been configured
to process domain logons. This vulnerability does not allow arbitrary code
execution. When the nmbd process dies, it no longer returns information
about the server, and the host is no longer accessible by referencing its
name.
Additionally, the following line must be present in the smb.conf file
which controls the configuration for Samba:
'domain logons = yes'
Samba smbd service DoS
An unauthenticated remote user can cause a resource exhaustion attack by
sending multiple malformed requests to an affected server. Each request
spawns a new process, which enters an infinite loop. This attack takes
very little bandwidth to cause the machine to stop responding. Each
request from the exploit tested was only 358 bytes, and a RedHat Fedora
Core 1 machine with 512 megabytes of RAM and 512 megabytes of swap took
fewer than 4000 requests to render it unusable.
Patch Availability:
Although removing the 'domain logons = yes' line will solve the problem in
nmbd, it will also affect the operation of Samba. For smbd, the only
workaround is to either configure Samba with the "hosts allow" option,
limiting access to trusted machines or using firewall rules.
However, a patch file for Samba 3.0.5 addressing the bugs
(samba-3.0.5-DoS.patch) can be downloaded from
<http://download.samba.org/samba/ftp/patches/security/>;
http://download.samba.org/samba/ftp/patches/security/
Disclosure Timeline
09/02/2004 Initial vendor notification
09/02/2004 iDEFENSE clients notified
09/02/2004 Vendor response
09/13/2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:[email protected]> iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
