SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Samba Vendors:   Samba.org
(Mandrake Issues Fix) Samba QFILEPATHINFO Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012277
SecurityTracker URL:  http://securitytracker.com/id/1012277
CVE Reference:   CVE-2004-0882   (Links to External Site)
Date:  Nov 19 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0 - 3.0.7
Description:   A vulnerability was reported in Samba in the processing of QFILEPATHINFO requests. A remote authenticated user can execute arbitrary code on the target system.

Stefan Esser of e-matters GmbH reported that a remote authenticated user can send a specially crafted TRANSACT2_QFILEPATHINFO request for a specially crafted filename containing unicode characters to trigger a buffer overflow. When the filename's unicode characters are converted by the target server in constructing the reply, the space allocated by the server may be overflowed.

If the filename does not already exist on the target server, the remote authenticated user must have write access to create the specially crafted filename before issuing the request.

The vendor was notified on September 24, 2004.

Default installations are affected.

The original advisory is available at:

http://security.e-matters.de/advisories/132004.html

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   Mandrake has released a fix.

Mandrakelinux 10.0:
9b1cbb94f9b6a29f4db47d6362c7dc59 10.0/RPMS/libsmbclient0-3.0.6-4.3.100mdk.i586.rpm
13d208678296f156851550d2fa6be003 10.0/RPMS/libsmbclient0-devel-3.0.6-4.3.100mdk.i586.rpm
41ed3906b38c216647f0b4abb2b0e148 10.0/RPMS/libsmbclient0-static-devel-3.0.6-4.3.100mdk.i586.rpm
2949c6f12e1ae592d7d25cdd418cf3ab 10.0/RPMS/nss_wins-3.0.6-4.3.100mdk.i586.rpm
81851b7b52e2db6271af33820b0d9e7f 10.0/RPMS/samba-client-3.0.6-4.3.100mdk.i586.rpm
efde2c032fb6f83a1d8c4628790b9946 10.0/RPMS/samba-common-3.0.6-4.3.100mdk.i586.rpm
714bb9e00bf4452854c90caced2551a4 10.0/RPMS/samba-doc-3.0.6-4.3.100mdk.i586.rpm
1b31b3fe682ecd29d089e9128647cc77 10.0/RPMS/samba-passdb-mysql-3.0.6-4.3.100mdk.i586.rpm
48ba46d5f50b50dcfb8f38fd6bd719e5 10.0/RPMS/samba-passdb-pgsql-3.0.6-4.3.100mdk.i586.rpm
4e0e3b905b2fe0127ecfc08e1da3796e 10.0/RPMS/samba-passdb-xml-3.0.6-4.3.100mdk.i586.rpm
888317c3b5fa0c9463e163b7c73075b7 10.0/RPMS/samba-server-3.0.6-4.3.100mdk.i586.rpm
109efb2384cda0e3016c0b288f710e87 10.0/RPMS/samba-swat-3.0.6-4.3.100mdk.i586.rpm
cef9d2b07f8355c02d69986d2afddb33 10.0/RPMS/samba-winbind-3.0.6-4.3.100mdk.i586.rpm
10c369789d118dab97c86f28e4207ce5 10.0/SRPMS/samba-3.0.6-4.3.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
8d810908b095dc8672eb7819bd15f0b2 amd64/10.0/RPMS/lib64smbclient0-3.0.6-4.3.100mdk.amd64.rpm
27a93b3cf869598fa23a37392c69d339 amd64/10.0/RPMS/lib64smbclient0-devel-3.0.6-4.3.100mdk.amd64.rpm
557e63312a94f1bdc42982f240d140ca amd64/10.0/RPMS/lib64smbclient0-static-devel-3.0.6-4.3.100mdk.amd64.rpm
8e7cd945f7d406a049d7d8e79afc97b4 amd64/10.0/RPMS/nss_wins-3.0.6-4.3.100mdk.amd64.rpm
06873271e882b5f00b72b7733664cb0a amd64/10.0/RPMS/samba-client-3.0.6-4.3.100mdk.amd64.rpm
fff4d9c9aa1d33a2b5c9c9a60e87a145 amd64/10.0/RPMS/samba-common-3.0.6-4.3.100mdk.amd64.rpm
83404ba5b9b0a65ecdd820fc6fa4423c amd64/10.0/RPMS/samba-doc-3.0.6-4.3.100mdk.amd64.rpm
efdd9b19800f9f076a7e4e0c1314fd35 amd64/10.0/RPMS/samba-passdb-mysql-3.0.6-4.3.100mdk.amd64.rpm
436ec72f9ad76315e37906f6d5699a17 amd64/10.0/RPMS/samba-passdb-pgsql-3.0.6-4.3.100mdk.amd64.rpm
415491ad3ade4577113d240ad98a88f2 amd64/10.0/RPMS/samba-passdb-xml-3.0.6-4.3.100mdk.amd64.rpm
6ae1e74ad89e997b9caf15b4a65a78ea amd64/10.0/RPMS/samba-server-3.0.6-4.3.100mdk.amd64.rpm
623364413e9634f06e0e0cbf990535ce amd64/10.0/RPMS/samba-swat-3.0.6-4.3.100mdk.amd64.rpm
809e3c4b6faca289d76e23438df4bf07 amd64/10.0/RPMS/samba-winbind-3.0.6-4.3.100mdk.amd64.rpm
10c369789d118dab97c86f28e4207ce5 amd64/10.0/SRPMS/samba-3.0.6-4.3.100mdk.src.rpm

Mandrakelinux 10.1:
7701679643c47d6123b6552e46c22919 10.1/RPMS/libsmbclient0-3.0.7-2.2.101mdk.i586.rpm
90cdd7197c880c093bbcd02633f06e04 10.1/RPMS/libsmbclient0-devel-3.0.7-2.2.101mdk.i586.rpm
eef0fdf0c63aaf7ea38040f08a44c0ff 10.1/RPMS/libsmbclient0-static-devel-3.0.7-2.2.101mdk.i586.rpm
2303f39d131fdc6e85c4e7b3d29eab30 10.1/RPMS/nss_wins-3.0.7-2.2.101mdk.i586.rpm
0171975fe323cf1d7ac036087a7e967e 10.1/RPMS/samba-client-3.0.7-2.2.101mdk.i586.rpm
8aabb86ac1d0235d5f95353a52f2ee62 10.1/RPMS/samba-common-3.0.7-2.2.101mdk.i586.rpm
7a2537f0534ae7e643e21671b5a77cba 10.1/RPMS/samba-doc-3.0.7-2.2.101mdk.i586.rpm
5efc2a327a946a7266daabe64ebf6ed8 10.1/RPMS/samba-passdb-mysql-3.0.7-2.2.101mdk.i586.rpm
f48c3bc088a21e71eba00e7d18dc3538 10.1/RPMS/samba-passdb-pgsql-3.0.7-2.2.101mdk.i586.rpm
3a5483ec112532ffb1e7bc8d7ab3722d 10.1/RPMS/samba-passdb-xml-3.0.7-2.2.101mdk.i586.rpm
42c0de84041d35a6608a4434c3f0aee1 10.1/RPMS/samba-server-3.0.7-2.2.101mdk.i586.rpm
16a096aaf7504e4462828f171d42e924 10.1/RPMS/samba-swat-3.0.7-2.2.101mdk.i586.rpm
7f173153c61f02902aaf3290e964fdd9 10.1/RPMS/samba-vscan-clamav-3.0.7-2.2.101mdk.i586.rpm
4b91a38b17f12fd70b4cc394a239a170 10.1/RPMS/samba-vscan-icap-3.0.7-2.2.101mdk.i586.rpm
4cd663bc68e60bb769730526d0f0a3d5 10.1/RPMS/samba-winbind-3.0.7-2.2.101mdk.i586.rpm
b08516b0a07d8869f4a551a107567b27 10.1/SRPMS/samba-3.0.7-2.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
3ddaefe4af1c36f8c6a536824bb5c068 x86_64/10.1/RPMS/lib64smbclient0-3.0.7-2.2.101mdk.x86_64.rpm
01aac06976ee04a1c92f5f2b2c44630c x86_64/10.1/RPMS/lib64smbclient0-devel-3.0.7-2.2.101mdk.x86_64.rpm
471a7bc9b457b84ccc2cf64195ea8425 x86_64/10.1/RPMS/lib64smbclient0-static-devel-3.0.7-2.2.101mdk.x86_64.rpm
aca44dd76958e392e0a3d7ed98d9c60c x86_64/10.1/RPMS/nss_wins-3.0.7-2.2.101mdk.x86_64.rpm
c03d10fe41f44d3e4966bfd14cc72bb3 x86_64/10.1/RPMS/samba-client-3.0.7-2.2.101mdk.x86_64.rpm
06d40afd3b15849ffabb17f0a0240602 x86_64/10.1/RPMS/samba-common-3.0.7-2.2.101mdk.x86_64.rpm
406a507ee4aec3134401991cdb84f361 x86_64/10.1/RPMS/samba-doc-3.0.7-2.2.101mdk.x86_64.rpm
17c9c6e774650e0411e5b7a841583ce2 x86_64/10.1/RPMS/samba-passdb-mysql-3.0.7-2.2.101mdk.x86_64.rpm
635a5fbe750423abbdb26003d01eda6b x86_64/10.1/RPMS/samba-passdb-pgsql-3.0.7-2.2.101mdk.x86_64.rpm
9cf5f0dbe5959add0585f1db33f4cebf x86_64/10.1/RPMS/samba-passdb-xml-3.0.7-2.2.101mdk.x86_64.rpm
c34bc9d57dcf5f0996463207e43d2810 x86_64/10.1/RPMS/samba-server-3.0.7-2.2.101mdk.x86_64.rpm
c95fd60d5ffd00cadb994dc60536a8cb x86_64/10.1/RPMS/samba-swat-3.0.7-2.2.101mdk.x86_64.rpm
046c451eb67072dc6b375eb902cd73d6 x86_64/10.1/RPMS/samba-vscan-clamav-3.0.7-2.2.101mdk.x86_64.rpm
4796c8108dd6f62c36920d6d6b603fdd x86_64/10.1/RPMS/samba-vscan-icap-3.0.7-2.2.101mdk.x86_64.rpm
c2b00282b990cf775c09171fbfb077c2 x86_64/10.1/RPMS/samba-winbind-3.0.7-2.2.101mdk.x86_64.rpm
b08516b0a07d8869f4a551a107567b27 x86_64/10.1/SRPMS/samba-3.0.7-2.2.101mdk.src.rpm

Vendor URL:  www.samba.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Mandriva/Mandrake)
Underlying OS Comments:  10.0, 10.1

Message History:   This archive entry is a follow-up to the message listed below.
Nov 15 2004 Samba QFILEPATHINFO Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security Announce] MDKSA-2004:136 - Updated samba packages fix


This is a multi-part message in MIME format...

------------=_1100807244-1122-6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           samba
 Advisory ID:            MDKSA-2004:136
 Date:                   November 18th, 2004

 Affected versions:	 10.0, 10.1
 ______________________________________________________________________

 Problem Description:

 Steffan Esser discovered that invalid bounds checking in reply to
 certain trans2 requests could result in a buffer overrun in smbd.
 This can only be exploited by a malicious user able to create files
 with very specific Unicode filenames on a samba share.
 
 The updated packages have been patched to prevent this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 9b1cbb94f9b6a29f4db47d6362c7dc59  10.0/RPMS/libsmbclient0-3.0.6-4.3.100mdk.i586.rpm
 13d208678296f156851550d2fa6be003  10.0/RPMS/libsmbclient0-devel-3.0.6-4.3.100mdk.i586.rpm
 41ed3906b38c216647f0b4abb2b0e148  10.0/RPMS/libsmbclient0-static-devel-3.0.6-4.3.100mdk.i586.rpm
 2949c6f12e1ae592d7d25cdd418cf3ab  10.0/RPMS/nss_wins-3.0.6-4.3.100mdk.i586.rpm
 81851b7b52e2db6271af33820b0d9e7f  10.0/RPMS/samba-client-3.0.6-4.3.100mdk.i586.rpm
 efde2c032fb6f83a1d8c4628790b9946  10.0/RPMS/samba-common-3.0.6-4.3.100mdk.i586.rpm
 714bb9e00bf4452854c90caced2551a4  10.0/RPMS/samba-doc-3.0.6-4.3.100mdk.i586.rpm
 1b31b3fe682ecd29d089e9128647cc77  10.0/RPMS/samba-passdb-mysql-3.0.6-4.3.100mdk.i586.rpm
 48ba46d5f50b50dcfb8f38fd6bd719e5  10.0/RPMS/samba-passdb-pgsql-3.0.6-4.3.100mdk.i586.rpm
 4e0e3b905b2fe0127ecfc08e1da3796e  10.0/RPMS/samba-passdb-xml-3.0.6-4.3.100mdk.i586.rpm
 888317c3b5fa0c9463e163b7c73075b7  10.0/RPMS/samba-server-3.0.6-4.3.100mdk.i586.rpm
 109efb2384cda0e3016c0b288f710e87  10.0/RPMS/samba-swat-3.0.6-4.3.100mdk.i586.rpm
 cef9d2b07f8355c02d69986d2afddb33  10.0/RPMS/samba-winbind-3.0.6-4.3.100mdk.i586.rpm
 10c369789d118dab97c86f28e4207ce5  10.0/SRPMS/samba-3.0.6-4.3.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 8d810908b095dc8672eb7819bd15f0b2  amd64/10.0/RPMS/lib64smbclient0-3.0.6-4.3.100mdk.amd64.rpm
 27a93b3cf869598fa23a37392c69d339  amd64/10.0/RPMS/lib64smbclient0-devel-3.0.6-4.3.100mdk.amd64.rpm
 557e63312a94f1bdc42982f240d140ca  amd64/10.0/RPMS/lib64smbclient0-static-devel-3.0.6-4.3.100mdk.amd64.rpm
 8e7cd945f7d406a049d7d8e79afc97b4  amd64/10.0/RPMS/nss_wins-3.0.6-4.3.100mdk.amd64.rpm
 06873271e882b5f00b72b7733664cb0a  amd64/10.0/RPMS/samba-client-3.0.6-4.3.100mdk.amd64.rpm
 fff4d9c9aa1d33a2b5c9c9a60e87a145  amd64/10.0/RPMS/samba-common-3.0.6-4.3.100mdk.amd64.rpm
 83404ba5b9b0a65ecdd820fc6fa4423c  amd64/10.0/RPMS/samba-doc-3.0.6-4.3.100mdk.amd64.rpm
 efdd9b19800f9f076a7e4e0c1314fd35  amd64/10.0/RPMS/samba-passdb-mysql-3.0.6-4.3.100mdk.amd64.rpm
 436ec72f9ad76315e37906f6d5699a17  amd64/10.0/RPMS/samba-passdb-pgsql-3.0.6-4.3.100mdk.amd64.rpm
 415491ad3ade4577113d240ad98a88f2  amd64/10.0/RPMS/samba-passdb-xml-3.0.6-4.3.100mdk.amd64.rpm
 6ae1e74ad89e997b9caf15b4a65a78ea  amd64/10.0/RPMS/samba-server-3.0.6-4.3.100mdk.amd64.rpm
 623364413e9634f06e0e0cbf990535ce  amd64/10.0/RPMS/samba-swat-3.0.6-4.3.100mdk.amd64.rpm
 809e3c4b6faca289d76e23438df4bf07  amd64/10.0/RPMS/samba-winbind-3.0.6-4.3.100mdk.amd64.rpm
 10c369789d118dab97c86f28e4207ce5  amd64/10.0/SRPMS/samba-3.0.6-4.3.100mdk.src.rpm

 Mandrakelinux 10.1:
 7701679643c47d6123b6552e46c22919  10.1/RPMS/libsmbclient0-3.0.7-2.2.101mdk.i586.rpm
 90cdd7197c880c093bbcd02633f06e04  10.1/RPMS/libsmbclient0-devel-3.0.7-2.2.101mdk.i586.rpm
 eef0fdf0c63aaf7ea38040f08a44c0ff  10.1/RPMS/libsmbclient0-static-devel-3.0.7-2.2.101mdk.i586.rpm
 2303f39d131fdc6e85c4e7b3d29eab30  10.1/RPMS/nss_wins-3.0.7-2.2.101mdk.i586.rpm
 0171975fe323cf1d7ac036087a7e967e  10.1/RPMS/samba-client-3.0.7-2.2.101mdk.i586.rpm
 8aabb86ac1d0235d5f95353a52f2ee62  10.1/RPMS/samba-common-3.0.7-2.2.101mdk.i586.rpm
 7a2537f0534ae7e643e21671b5a77cba  10.1/RPMS/samba-doc-3.0.7-2.2.101mdk.i586.rpm
 5efc2a327a946a7266daabe64ebf6ed8  10.1/RPMS/samba-passdb-mysql-3.0.7-2.2.101mdk.i586.rpm
 f48c3bc088a21e71eba00e7d18dc3538  10.1/RPMS/samba-passdb-pgsql-3.0.7-2.2.101mdk.i586.rpm
 3a5483ec112532ffb1e7bc8d7ab3722d  10.1/RPMS/samba-passdb-xml-3.0.7-2.2.101mdk.i586.rpm
 42c0de84041d35a6608a4434c3f0aee1  10.1/RPMS/samba-server-3.0.7-2.2.101mdk.i586.rpm
 16a096aaf7504e4462828f171d42e924  10.1/RPMS/samba-swat-3.0.7-2.2.101mdk.i586.rpm
 7f173153c61f02902aaf3290e964fdd9  10.1/RPMS/samba-vscan-clamav-3.0.7-2.2.101mdk.i586.rpm
 4b91a38b17f12fd70b4cc394a239a170  10.1/RPMS/samba-vscan-icap-3.0.7-2.2.101mdk.i586.rpm
 4cd663bc68e60bb769730526d0f0a3d5  10.1/RPMS/samba-winbind-3.0.7-2.2.101mdk.i586.rpm
 b08516b0a07d8869f4a551a107567b27  10.1/SRPMS/samba-3.0.7-2.2.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 3ddaefe4af1c36f8c6a536824bb5c068  x86_64/10.1/RPMS/lib64smbclient0-3.0.7-2.2.101mdk.x86_64.rpm
 01aac06976ee04a1c92f5f2b2c44630c  x86_64/10.1/RPMS/lib64smbclient0-devel-3.0.7-2.2.101mdk.x86_64.rpm
 471a7bc9b457b84ccc2cf64195ea8425  x86_64/10.1/RPMS/lib64smbclient0-static-devel-3.0.7-2.2.101mdk.x86_64.rpm
 aca44dd76958e392e0a3d7ed98d9c60c  x86_64/10.1/RPMS/nss_wins-3.0.7-2.2.101mdk.x86_64.rpm
 c03d10fe41f44d3e4966bfd14cc72bb3  x86_64/10.1/RPMS/samba-client-3.0.7-2.2.101mdk.x86_64.rpm
 06d40afd3b15849ffabb17f0a0240602  x86_64/10.1/RPMS/samba-common-3.0.7-2.2.101mdk.x86_64.rpm
 406a507ee4aec3134401991cdb84f361  x86_64/10.1/RPMS/samba-doc-3.0.7-2.2.101mdk.x86_64.rpm
 17c9c6e774650e0411e5b7a841583ce2  x86_64/10.1/RPMS/samba-passdb-mysql-3.0.7-2.2.101mdk.x86_64.rpm
 635a5fbe750423abbdb26003d01eda6b  x86_64/10.1/RPMS/samba-passdb-pgsql-3.0.7-2.2.101mdk.x86_64.rpm
 9cf5f0dbe5959add0585f1db33f4cebf  x86_64/10.1/RPMS/samba-passdb-xml-3.0.7-2.2.101mdk.x86_64.rpm
 c34bc9d57dcf5f0996463207e43d2810  x86_64/10.1/RPMS/samba-server-3.0.7-2.2.101mdk.x86_64.rpm
 c95fd60d5ffd00cadb994dc60536a8cb  x86_64/10.1/RPMS/samba-swat-3.0.7-2.2.101mdk.x86_64.rpm
 046c451eb67072dc6b375eb902cd73d6  x86_64/10.1/RPMS/samba-vscan-clamav-3.0.7-2.2.101mdk.x86_64.rpm
 4796c8108dd6f62c36920d6d6b603fdd  x86_64/10.1/RPMS/samba-vscan-icap-3.0.7-2.2.101mdk.x86_64.rpm
 c2b00282b990cf775c09171fbfb077c2  x86_64/10.1/RPMS/samba-winbind-3.0.7-2.2.101mdk.x86_64.rpm
 b08516b0a07d8869f4a551a107567b27  x86_64/10.1/SRPMS/samba-3.0.7-2.2.101mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBnTTOmqjQ0CJFipgRAn3OAKCRgjxjBTQy6q7VoMcY+OeV+c7m2QCfTk97
xwaFXT3MKVPFuHyWzG6sZrg=
=kyaT
-----END PGP SIGNATURE-----


------------=_1100807244-1122-6
Content-Type: text/plain; name="message.footer"
Content-Disposition: inline; filename="message.footer"
Content-Transfer-Encoding: 8bit

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________

------------=_1100807244-1122-6--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC