From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 7 Jun 2007 10:00:55 +0200
Subject: [UNIX] Samba Multiple Heap Overflow Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070607072830.B52A65784@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Samba Multiple Heap Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Multiple vulnerabilities allow attackers to execute arbitrary code on
vulnerable installations of Samba via the RPC mechanism. User interaction
is not required to exploit this vulnerability.
DETAILS
Affected Products:
* Samba 3.0.0 - 3.0.25rc3
Samba lsa_io_privilege_set Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the LSA RPC
interface. When parsing a request to LsarAddPrivilegesToAccount, heap
allocation is calculated based on user input. By specifying invalid
values, heap blocks can be overwritten leading to remote code execution.
Samba netdfs_io_dfs_EnumInfo_d Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the DFS RPC
interface. When parsing a request to DFSEnum, heap allocation is
calculated based on user input. By specifying invalid values, heap blocks
can be overwritten leading to remote code execution.
Samba smb_io_notify_option_type_data Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the SPOOLSS RPC
interface. When parsing a request to RFNPCNEX, heap allocation is
calculated based on user input. By specifying invalid values, heap blocks
can be overwritten leading to remote code execution.
Samba sec_io_acl Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the SRVSVC RPC
interface. When parsing a request to NetSetFileSecurity, heap allocation
is calculated based on user input. By specifying invalid values, heap
blocks can be overwritten leading to remote code execution.
Samba lsa_io_trans_names Heap Overflow Vulnerability:
The specific flaw exists in the parsing of RPC requests to the LSA RPC
interface. When parsing a request to LsarLookupSids/LsarLookupSids2, heap
allocation is calculated based on user input. By specifying invalid
values, heap blocks can be overwritten leading to remote code execution.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446>;
CVE-2007-2446
Vendor Status:
Samba has issued an update to correct this vulnerability. More details can
be found at:
<http://us1.samba.org/samba/security/CVE-2007-2446.html>;
http://us1.samba.org/samba/security/CVE-2007-2446.html
Disclosure Timeline:
* 2007.04.25 - Vulnerability reported to vendor
* 2007.05.02 - Digital Vaccine released to TippingPoint customers
* 2007.05.15 - Coordinated public release of advisory
ADDITIONAL INFORMATION
The information has been provided by ZDI-07-029, ZDI-07-030, ZDI-07-031,
ZDI-07-032, ZDI-07-033.
The original articles can be found at:
<http://www.zerodayinitiative.com/advisories/ZDI-07-029.html>;
http://www.zerodayinitiative.com/advisories/ZDI-07-029.html
<http://www.zerodayinitiative.com/advisories/ZDI-07-030.html>;
http://www.zerodayinitiative.com/advisories/ZDI-07-030.html
<http://www.zerodayinitiative.com/advisories/ZDI-07-031.html>;
http://www.zerodayinitiative.com/advisories/ZDI-07-031.html
<http://www.zerodayinitiative.com/advisories/ZDI-07-032.html>;
http://www.zerodayinitiative.com/advisories/ZDI-07-032.html
<http://www.zerodayinitiative.com/advisories/ZDI-07-033.html>;
http://www.zerodayinitiative.com/advisories/ZDI-07-033.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
