(Immunix Issues Fix) Samba Buffer Overflow in call_trans2open() Function Lets Remote Users Execute Arbitrary Code With Root Privileges
|
|
SecurityTracker Alert ID: 1006509 |
|
SecurityTracker URL: http://securitytracker.com/id/1006509
|
|
CVE Reference:
CAN-2003-0201
(Links to External Site)
|
Date: Apr 7 2003
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.2.8a, also 2.0.10 and prior
|
Description:
A buffer overflow vulnerability was reported in Samba. A remote user can gain root access on the target system.
Digital Defense reported that a remote user can trigger a buffer overflow in the call_trans2open() function in the 'trans2.c' file. The function performs a StrnCpy() operation using a length variable that is 1 byte too long, according to the report. Digital Defense warned that a remote user can exploit this flaw to execute arbitrary code with root privileges.
A scanning utility to assist in identifying hosts running Samba is available at:
http://www.digitaldefense.net/labs/tools/nmbping.pl
A demonstration exploit is available at:
http://www.digitaldefense.net/labs/tools/trans2root.pl
|
Impact:
A remote user can execute arbitrary code with root privileges to gain root access on the system.
|
Solution:
Immunix has released a fix.
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/samba-2.0.10-2_imnx_3.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/samba-client-2.0.10-2_imnx_3.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/samba-common-2.0.10-2_imnx_3.i386.rpm
Immunix OS 7+ md5sums:
13b41eeaf5ef6d018554fab4ae4958bc samba-2.0.10-2_imnx_3.i386.rpm
bbfeb9255328a8e73790f390aa7afb9f samba-client-2.0.10-2_imnx_3.i386.rpm
feeb2e9d872f5bdc01c44ee125f0170c samba-common-2.0.10-2_imnx_3.i386.rpm
ffa5900e389ed12620ec72bd4fdf5c15 samba-2.0.10-2_imnx_3.src.rpm
|
Vendor URL: www.samba.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 7 Apr 2003 11:39:07 -0700
Subject: [Immunix-announce] Immunix Secured OS 7+ samba update
|
--===============52321243927439154==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="48TaNjbzBVislYPb"
Content-Disposition: inline
--48TaNjbzBVislYPb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: samba
Affected products: ImmunixOS 7.0, 7+
Bugs fixed: CAN-2003-0201
Date: Mon Apr 7 2003
Advisory ID: IMNX-2003-7+-006-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Digital Defense found an actively-exploited samba static-buffer
overflow on a honeypot system. They figured out the vulnerable section
of code and alerted the Samba team, who found some additional bugs
while fixing this bug.
In samba version 2.0.10, this buffer is located on the heap, so
StackGuard does not provide protection for this buffer overflow.
There are actively-used samba 2.2 exploits that allow remote anonymous
users to gain local root privileges. The samba 2.2 exploit analyzed by
Digital Defense used a statically allocated buffer. While we do not
know of any exploits against the 2.0.10 version, it may be possible
to re-write the exploit in use to attack the heap-based buffer in
samba 2.0.10. We recommend upgrading.
Please note this is different from (and includes the fixes from)
IMNX-2003-7+-003-01, which addressed different samba security flaws.
=20
References:
http://www.securityfocus.com/archive/1/317615/2003-04-04/2003-04-10/0
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/samba-2.0.10-2_imnx=
_3.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/samba-client-2.0.10=
-2_imnx_3.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/samba-common-2.0.10=
-2_imnx_3.i386.rpm
Immunix OS 7+ md5sums:
13b41eeaf5ef6d018554fab4ae4958bc samba-2.0.10-2_imnx_3.i386.rpm
bbfeb9255328a8e73790f390aa7afb9f samba-client-2.0.10-2_imnx_3.i386.rpm
feeb2e9d872f5bdc01c44ee125f0170c samba-common-2.0.10-2_imnx_3.i386.rpm
ffa5900e389ed12620ec72bd4fdf5c15 samba-2.0.10-2_imnx_3.src.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--48TaNjbzBVislYPb
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj6RxcoACgkQVQcWL60UVMtKxwCffaze1gckJfU64LJ34srfozL2
+UsAoJXpIcgzvAJWdBdOnOTuK9bl50PV
=JVCJ
-----END PGP SIGNATURE-----
--48TaNjbzBVislYPb--
--===============52321243927439154==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
--===============52321243927439154==--
|
|
