Subject: Secunia Research: Samba "send_mailslot()" Buffer Overflow
Vulnerability
From: Secunia Research <remove-vuln@secunia.com.>
Reply-To: [email protected]
To: [email protected]
Cc: [email protected]
Content-Type: text/plain
Date: Mon, 10 Dec 2007 16:56:42 +0100
Message-Id: <1197302202.26394.610.camel@ts2.intnet.>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.2 (2.0.2-35.0.4.el4)
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
Secunia Research 10/12/2007
- Samba "send_mailslot()" Buffer Overflow Vulnerability -
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
1) Affected Software
* Samba 3.0.27a
NOTE: Other versions may also be affected.
2) Severity
Rating: Moderately critical
Impact: System access
Where: Local network
3) Vendor's Description of Software
"Samba is an Open Source/Free Software suite that has, since 1992,
provided file and print services to all manner of SMB/CIFS clients,
including the numerous versions of Microsoft Windows operating systems.
Samba is freely available under the GNU General Public License."
Product Link:
http://www.samba.org/
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the
"send_mailslot()" function. This can be exploited to cause a
stack-based buffer overflow with zero bytes via a specially crafted
"SAMLOGON" domain logon packet containing a username string placed at
an odd offset followed by an overly long GETDC string.
Successful exploitation allows execution of arbitrary code, but
requires that the "domain logons" option is enabled.
5) Solution
A fix should be released later today.
6) Time Table
22/11/2007 - Vendor notified.
22/11/2007 - vendor-sec notified.
23/11/2007 - Vendor response.
10/12/2007 - Public disclosure.
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2007-6015 for the vulnerability.
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://corporate.secunia.com/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://corporate.secunia.com/secunia_research/33/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/secunia_vacancies/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-99/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
