samba - May 2008 - CVE-2008-1105 - Boundary failure when parsing SMB responses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================================ Subject:    
Boundary failure when parsing SMB responses
==              can result in a buffer overrun
=== CVE ID#:     CVE-2008-1105
=== Versions:    Samba 3.0.0 - 3.0.29 (inclusive)
=== Summary:     Specifically crafted SMB responses can result
==              in a heap overflow in the Samba client code.
==              Because the server process, smbd, can itself
==              act as a client during operations such as
==              printer notification and domain authentication,
==              this issue affects both Samba client and server
==              installations.
==========================================================
==========Description
==========
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in smbd.  This defect is
is a result of an incorrect buffer size when parsing SMB
replies in the routine receive_smb_raw().


=================Patch Availability
=================
A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.0.30 has been issued as a security
release to correct the defect.  Samba administrators are
advised to upgrade to 3.0.30 or apply the patch as soon
as possible.


======Credits
======
This vulnerability was reported to Samba developers by
Alin Rad Pop, Secunia Research.

The time line is as follows:

* May 15, 2008: Initial report to security@samba.org.
* May 15, 2008: First response from Samba developers confirming
  the bug along with a proposed patch.
* May 28, 2008: Public security advisory made available.


=========================================================== Our Code, Our Bugs,
Our Responsibility.
== The Samba Team
=========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIPXJ/IR7qMdg1EfYRAue5AKDa9zke1fUfAK8+PkGAHPPI+HOGAgCgyAdy
95siCUO1D5/qxy4h4qf/flY=sf+i
-----END PGP SIGNATURE-----

Quoting Gerald (Jerry) Carter (jerry@samba.org):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> =========================================================> => ==
Subject:     Boundary failure when parsing SMB responses
> ==              can result in a buffer overrun
> => == CVE ID#:     CVE-2008-1105
I think that Debian users might benefit from the following:

The maintainers of samba packages in Debian are working on updates wrt
this issue.

A bug has already been reported to track it in Debian BTS and, as all
security issues in Debian, is tracked by the Debian security team.

I've already prepared packages for 3.0.30, which will be uploaded to
Debian unstable ASAP. These packages have a high priority so they
should be built for all architectures in priority by Debian
autobuilders, then enter Debian testing 2 days after the upload (in
theory: some autobuilders are slow).

Packages for Debian etch (which includes 3.0.24) have been built
without problems. We'll do some regression testing (but, as everybody
knows, that's pretty complicated for sambe given the number of
possible use cases) and they'll be uploaded to be reviewed by Debian
security team.

Of course, the usual Debian security announcements will be sent when
things are ready.

*There will not be any official Debian packages for sarge* (which has
3.0.14a). The sarge release is no longer supported by Debian and
Debian security team and users should upgrade to etch. For samba, this
is the first time we won't issue sarge packages (last CVE issues
happened when sarge was still supported).

Hello Jerry, list,

Could someone please provide a bit more information regarding this
vulnerability, in terms of what configurations are affected?

Everything I could find on Secunia and in the message below tells me that
vulnerable are the cases when smbd acts as a client - what are they?

Secunia suggests that: "Successful exploitation allows execution of
arbitrary code by tricking a user into connecting to a malicious server (e.g. by
clicking an "smb://" link) or by sending specially crafted packets to
an "nmbd" server configured as a local or domain master browser. Do
not connect to untrusted SMB servers or follow untrusted links."

What could that mean? E.g. may we consider a situation when all
"browser" settings are "no" and no DC on Samba
(authentication is done via MS AD, Samba is a member of) plus it is not used for
printing as not vulnerable?

That would make our strategy for patching more clear as we'd like to avoid
unnecessary downtimes.
Please do not hesitate to move this discussion to samba-technical, if you feel
it's more appropriate.


Thanks,
Alexander

> -----Original Message-----
> From: samba@lists.samba.org On Behalf Of Gerald (Jerry) Carter
> Sent: Wednesday, May 28, 2008 6:56 PM
> To: samba@samba.org
> Subject: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB
responses
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> =========================================================> => ==
Subject:     Boundary failure when parsing SMB responses
> ==              can result in a buffer overrun
> => == CVE ID#:     CVE-2008-1105
> => == Versions:    Samba 3.0.0 - 3.0.29 (inclusive)
> => == Summary:     Specifically crafted SMB responses can result
> ==              in a heap overflow in the Samba client code.
> ==              Because the server process, smbd, can itself
> ==              act as a client during operations such as
> ==              printer notification and domain authentication,
> ==              this issue affects both Samba client and server
> ==              installations.
> => =========================================================> 
> ==========> Description
> ==========> 
> Secunia Research reported a vulnerability that allows for
> the execution of arbitrary code in smbd.  This defect is
> is a result of an incorrect buffer size when parsing SMB
> replies in the routine receive_smb_raw().
> 
> 
> =================> Patch Availability
> =================> 
> A patch addressing this defect has been posted to
> 
>   http://www.samba.org/samba/security/
> 
> Additionally, Samba 3.0.30 has been issued as a security
> release to correct the defect.  Samba administrators are
> advised to upgrade to 3.0.30 or apply the patch as soon
> as possible.
> 
> 
> ======> Credits
> ======> 
> This vulnerability was reported to Samba developers by
> Alin Rad Pop, Secunia Research.
> 
> The time line is as follows:
> 
> * May 15, 2008: Initial report to security@samba.org.
> * May 15, 2008: First response from Samba developers confirming
>   the bug along with a proposed patch.
> * May 28, 2008: Public security advisory made available.
> 
> 
> =========================================================> == Our Code,
Our Bugs, Our Responsibility.
> == The Samba Team
> =========================================================> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIPXJ/IR7qMdg1EfYRAue5AKDa9zke1fUfAK8+PkGAHPPI+HOGAgCgyAdy
> 95siCUO1D5/qxy4h4qf/flY> =sf+i
> -----END PGP SIGNATURE-----
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> --------------------------------------------------------------------

Hello Jerry, list,
 
Could someone please provide a bit more information regarding this
vulnerability, in terms of what configurations are affected?
 
Everything I could find on Secunia and in the message below tells me that
vulnerable are the cases when smbd acts as a client - what are they?
 
Secunia suggests that: "Successful exploitation allows execution of
arbitrary code by tricking a user into connecting to a malicious server (e.g. by
clicking an "smb://" link) or by sending specially crafted packets to
an "nmbd" server configured as a local or domain master browser. Do
not connect to untrusted SMB servers or follow untrusted links."
 
What could that mean? E.g. may we consider a situation when all
"browser" settings are "no" and no DC on Samba
(authentication is done via MS AD, Samba is a member of) plus it is not used for
printing as not vulnerable?
 
That would make our strategy for patching more clear as we'd like to avoid
unnecessary downtimes.
Please do not hesitate to move this discussion to samba-technical, if you feel
it's more appropriate.
 

Thanks,
Alexander
 
 
> > -----Original Message-----
> > From: samba@lists.samba.org On Behalf Of Gerald (Jerry) Carter
> > Sent: Wednesday, May 28, 2008 6:56 PM
> > To: samba@samba.org
> > Subject: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB
responses
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > =========================================================> >
=> > == Subject:     Boundary failure when parsing SMB responses
> > ==              can result in a buffer overrun
> > => > == CVE ID#:     CVE-2008-1105
> > => > == Versions:    Samba 3.0.0 - 3.0.29 (inclusive)
> > => > == Summary:     Specifically crafted SMB responses can
result
> > ==              in a heap overflow in the Samba client code.
> > ==              Because the server process, smbd, can itself
> > ==              act as a client during operations such as
> > ==              printer notification and domain authentication,
> > ==              this issue affects both Samba client and server
> > ==              installations.
> > => >
=========================================================> >
> > ==========> > Description
> > ==========> > 
> > Secunia Research reported a vulnerability that allows for
> > the execution of arbitrary code in smbd.  This defect is
> > is a result of an incorrect buffer size when parsing SMB
> > replies in the routine receive_smb_raw().
> > 
> > 
> > =================> > Patch Availability
> > =================> > 
> > A patch addressing this defect has been posted to
> > 
> >   http://www.samba.org/samba/security/
> > 
> > Additionally, Samba 3.0.30 has been issued as a security
> > release to correct the defect.  Samba administrators are
> > advised to upgrade to 3.0.30 or apply the patch as soon
> > as possible.
> > 
> > 
> > ======> > Credits
> > ======> > 
> > This vulnerability was reported to Samba developers by
> > Alin Rad Pop, Secunia Research.
> > 
> > The time line is as follows:
> > 
> > * May 15, 2008: Initial report to security@samba.org.
> > * May 15, 2008: First response from Samba developers confirming
> >   the bug along with a proposed patch.
> > * May 28, 2008: Public security advisory made available.
> > 
> > 
> > =========================================================> > ==
Our Code, Our Bugs, Our Responsibility.
> > == The Samba Team
> > =========================================================> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > 
> > iD8DBQFIPXJ/IR7qMdg1EfYRAue5AKDa9zke1fUfAK8+PkGAHPPI+HOGAgCgyAdy
> > 95siCUO1D5/qxy4h4qf/flY> > =sf+i
> > -----END PGP SIGNATURE-----
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > 
> > --------------------------------------------------------------------
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander,
> Hello Jerry, list,
>  
> Could someone please provide a bit more information 
> regarding this vulnerability, in terms of what
> configurations are affected?
It is in the client SMB response parsing for a specific
SMB op.  There are many places where the client code is used.
For example, print change notification where smbd has to
reconnect back to the Windows NT or later client and open
a socket.  Also of course the domain member server
connections (contacting a DC) as well as simple smbspool
and smbclient uses.

This is a pretty important patch for all server configurations
I believe.

Hope this helps.




cheers, jerry
- --
====================================================================Samba       
------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIPrmlIR7qMdg1EfYRAkOhAKCYFFvUMx5Ieojgj4E14B+owOsDLgCeJZO4
APPGCs6TbE4ljVBTL5Y6K1Q=z1do
-----END PGP SIGNATURE-----