samba - Jun 2007 - samba problem: Multiple Heap Overflows Allow Remote Code Execution

Dear  Jeremy:        We use samba 2.2.12 as our samba server,  and  it  worked 
perfectly before, but now  there  is one  security problem found in samba 3.0 
now, so we  worry about our samba server, but for some reason we can't
update to samba 3.0.25, so can you tell us whether the problem be  existent in
samba 2.2.12, or how can I test our samba server with some tools software?      
Thanks,       Jack
_________________________________________________________________
ͨ¹ý Live.com ²é¿´×ÊѶ¡¢ÓéÀÖÐÅÏ¢ºÍÄú¹ØÐĵÄÆäËûÐÅÏ¢£¡
http://www.live.com/getstarted.aspxFrom kent at cpttm.org.mo  Fri Jun  1
07:59:59 2007
From: kent at cpttm.org.mo (Kent Tong)
Date: Fri Jun  1 08:01:00 2007
Subject: [Samba] Repost: Can't follow DFS link
Message-ID: <loom.20070601T095548-534@post.gmane.org>

Hi,

I am using 3.0.22 on Ubuntu 6.06. I'm trying to setup a DFS root. Here
is the smb.conf share section:

My smb.conf file is:

[global]
# use default
; security = user
host msdfs = yes

[Share]
path=/var/Share
writable=yes
msdfs root=yes

The dfs link is:

# ls -l /var/Share/Data/2007/OfficeAdmin/pdf
lrwxrwxrwx 1 root root 19 2007-05-23 09:14 
/var/Share/Data/2007/OfficeAdmin/pdf -> msdfs:cladms004\pdf

All the clients have been rebooted. They can all connect to 
\\cladms004\pdf directly.

On one Win2K client the DFS link works fine. But on another Win2K client 
and a Win2K terminal server, I can't go into the "pdf" folder. I
can
see the "pdf" folder inside the share. But when I try to go into the 
"pdf" folder, Windows says the folder is inaccessible.

The level 10 log is:

[2007/05/28 17:24:14, 10] lib/util_sock.c:read_smb_length_return_keepalive(618)
  got smb length of 128
[2007/05/28 17:24:14, 6] smbd/process.c:process_smb(1193)
  got message type 0x0 of len 0x80
[2007/05/28 17:24:14, 3] smbd/process.c:process_smb(1194)
  Transaction 257270 of length 132
[2007/05/28 17:24:14, 5] lib/util.c:show_msg(454)
[2007/05/28 17:24:14, 5] lib/util.c:show_msg(464)
  size=128
  smb_com=0x32
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51203
  smb_tid=10
  smb_pid=2264
  smb_uid=187
  smb_mid=9153
  smt_wct=15
  smb_vwv[ 0]=   60 (0x3C)
  smb_vwv[ 1]=    0 (0x0)
  smb_vwv[ 2]=    2 (0x2)
  smb_vwv[ 3]=   40 (0x28)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=    0 (0x0)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=   60 (0x3C)
  smb_vwv[10]=   68 (0x44)
  smb_vwv[11]=    0 (0x0)
  smb_vwv[12]=    0 (0x0)
  smb_vwv[13]=    1 (0x1)
  smb_vwv[14]=    5 (0x5)
  smb_bcc=63
[2007/05/28 17:24:14, 10] lib/util.c:dump_data(2058)
  [000] 00 00 00 EC 03 00 00 00  00 5C 00 44 00 61 00 74  ........ .\.D.a.t
  [010] 00 61 00 5C 00 32 00 30  00 30 00 37 00 5C 00 4F  .a.\.2.0 .0.7.\.O
  [020] 00 66 00 66 00 69 00 63  00 65 00 41 00 64 00 6D  .f.f.i.c .e.A.d.m
  [030] 00 69 00 6E 00 5C 00 70  00 64 00 66 00 00 00     .i.n.\.p .d.f...
[2007/05/28 17:24:14, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans2 (pid 3864) conn 0x83ed558
[2007/05/28 17:24:14, 4] smbd/uid.c:change_to_user(222)
  change_to_user: Skipping user change - already user
[2007/05/28 17:24:14, 3] smbd/trans2.c:call_trans2qfilepathinfo(2861)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file "Data/2007/OfficeAdmin/pdf"
[2007/05/28 17:24:14, 10] smbd/statcache.c:stat_cache_lookup(215)
  stat_cache_lookup: lookup failed for name [DATA/2007/OFFICEADMIN/PDF]
[2007/05/28 17:24:14, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name 
[DATA/2007/OFFICEADMIN] -> [Data/2007/OfficeAdmin]
[2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(185)
  unix_convert begin: name = Data/2007/OfficeAdmin/pdf, dirpath = Data/2007/Offi
ceAdmin, start = pdf
[2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled pdf ?
[2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component pdf (len 3) ?
[2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled pdf ?
[2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component pdf (len 3) ?
[2007/05/28 17:24:14, 5] smbd/statcache.c:stat_cache_add(140)
  stat_cache_add: Added entry (83e4d88:size1a) 
DATA/2007/OFFICEADMIN/PDF -> Data
/2007/OfficeAdmin/pdf
[2007/05/28 17:24:14, 5] smbd/statcache.c:stat_cache_add(140)
  stat_cache_add: Added entry (83e4d88:size1a) 
DATA/2007/OFFICEADMIN/PDF -> Data
/2007/OfficeAdmin/pdf
[2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(400)
  conversion finished Data/2007/OfficeAdmin/pdf -> 
Data/2007/OfficeAdmin/pdf
[2007/05/28 17:24:14, 3] smbd/trans2.c:call_trans2qfilepathinfo(2886)
  call_trans2qfilepathinfo: SMB_VFS_STAT of 
Data/2007/OfficeAdmin/pdf failed (No such file or directory)
[2007/05/28 17:24:14, 10] smbd/trans2.c:set_bad_path_error(2623)
  set_bad_path_error: err = 2 bad_path = 0
[2007/05/28 17:24:14, 3] smbd/error.c:error_packet(146)
  error packet at smbd/trans2.c(2629) cmd=50 (SMBtrans2) 
NT_STATUS_OBJECT_NAME_NOT_FOUND

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

liujack,
> Dear  Jeremy:        We use samba 2.2.12 as our 
> samba server,  and  it  worked  perfectly before,
> but now  there  is one  security problem found in
> samba 3.0  now, so we  worry about our samba server, 
> but for some reason we can't update to samba 3.0.25,
> so can you tell us whether the problem be  existent
> in samba 2.2.12, or how can I test our samba server
> with some tools software?       Thanks,       Jack
For the record:

  CVE-2007-2447 was present in some form in the 2.2.x branch.
  CVE-2007-2444 does not apply to 3.0.23c or earlier releases.
  CVE-2007-2446 probably applies in some fashion to 2.2.x

But Samba 2.2. was declared EOL in Oct of 2004.  Your only
option is to backport the patches yourself or contact a vendor
for paid support and have them do it.





cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGYAxEIR7qMdg1EfYRAiOuAJ4yoTBF28Zadx9vGv1OA8k7Mt0lYgCdGglQ
iYoLUmtywlj6kEJ4dBi8DVw=fqrj
-----END PGP SIGNATURE-----

On Fri, Jun 01, 2007 at 03:54:05PM +0800, liujack wrote:
> Dear  Jeremy:        We use samba 2.2.12 as our samba
> server,  and  it  worked  perfectly before, but now  there
> is one  security problem found in samba 3.0  now, so we
> worry about our samba server, but for some reason we can't
> update to samba 3.0.25, so can you tell us whether the
> problem be  existent in samba 2.2.12, or how can I test
> our samba server with some tools software?       Thanks,
Sorry, Samba 2.2 has been declared end of life for ages now.
What are your reasons that you can not upgrade?

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20070601/59f834a5/attachment.bin