Date: 15 Nov 2004 19:58:21 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Samba 3.x QFILEPATHINFO Unicode Filename Buffer Overflow
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Samba 3.x QFILEPATHINFO Unicode Filename Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Samba is an Open Source/Free Software suite that provides seamless file
and print services to SMB/CIFS clients. Samba is freely available under
the GNU General Public License.
During an audit of the Samba 3.x codebase a Unicode filename buffer
overflow within the handling of TRANSACT2_QFILEPATHINFO replies was
discovered that allows remote execution of arbitrary code.
Exploiting this vulnerability is possible through every Samba user if a
special crafted pathname exists. If such a path does not exist the
attacker needs write access to one of the network shares.
DETAILS
Vulnerable Systems:
* Samba version 3.0.7 and prior
Immune Systems:
* Samba version 3.0.8 or newer
The SMB specification allows clients to specify a maximum amount of data
bytes that the server is allowed to return in a single reply.
When Samba 3.x receives a TRANSACT2_QFILEPATHINFO request with this field
set to f.e. zero this can lead to an overflow of a Unicode filename when
constructing the reply.
This is caused by the fact that Samba <= 3.0.7 reads this field, allocates
1024 bytes more than wanted and then writes the reply into this buffer
without any kind of size check. While this behavior was sufficient enough
to protect against overflows in Samba 2.x the correction of the replies
for the info_levels SMB_QUERY_FILE_NAME_INFO and SMB_QUERY_FILE_ALL_INFO
to Unicode full pathname strings allows overflowing the reserved buffer
size.
By using Unicode chars within filenames this allows to overwrite
malloc()/free() control structures and therefore allows remote code
execution.
Disclosure Timeline:
24. September 2004 - Made initial contact with the Samba Team
25. September 2004 - Samba Team has fixed the bug in CVS
26. September 2004 - Disclosure was delayed on our side because of another
issue that was suppossed to get disclosed at the same time
08. November 2004 - Samba Team released 3.0.8 without noticing us because
they were wrongly convinced that the bug is not exploitable
15. November 2004 - Public Disclosure
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882>;
CAN-2004-0882
Recommendation:
Unlike several other Samba vulnerabilities within the last months this
vulnerability affects default installations of Samba 3.x and therefore any
user of Samba 3 <= 3.0.7 should upgrade as soon as possible.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Stefan
Esser.
The original article can be found at:
<http://security.e-matters.de/advisories/132004.html>;
http://security.e-matters.de/advisories/132004.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
