SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Samba Vendors:   Samba.org
Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018954
SecurityTracker URL:  http://securitytracker.com/id/1018954
CVE Reference:   CVE-2007-4572   (Links to External Site)
Date:  Nov 15 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.0 - 3.0.26a
Description:   A vulnerability was reported in Samba. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted GETDC mailslot requests to trigger a buffer overflow in nmbd and execute arbitrary code on the target system. The code will run with the privileges of the target service.

The vendor discovered this vulnerability on September 13, 2007.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (3.0.27).

Also, patches are available at:

http://www.samba.org/samba/security/

The Samba advisory is available at:

http://samba.org/samba/security/CVE-2007-4572.html

Vendor URL:  samba.org/samba/security/CVE-2007-4572.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 15 2007 (Red Hat Issues Fix) Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Nov 16 2007 (Red Hat Issues Fix) Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Nov 16 2007 (Red Hat Issues Fix) Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Mar 11 2008 (HP Issues Fix) Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
HP has released a fix for HP CIFS Server on HP-UX.
Jun 2 2008 (Sun Issues Fix) Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
Sun has issued a fix for Solaris 10.
Jun 23 2008 (HP Issues Fix for HP-UX) Samba nmbd Buffer Overflow in Processing GETDC mailslot Requests Lets Remote Users Execute Arbitrary Code
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.



 Source Message Contents

Subject:  [SAMBA] CVE-2007-4572 - GETDC mailslot processing buffer overrun

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:     Stack buffer overflow in nmbd's logon
==              request processing.
==
== CVE ID#:     CVE-2007-4572
==
== Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
==
== Summary:     Processing of specially crafted GETDC
==              mailslot requests can result in a buffer
==              overrun in nmbd.  It is not believed that
==              that this issues can be exploited to
==              result in remote code execution.
==
==========================================================

===========
Description
===========

Samba developers have discovered what is believed to be
a non-exploitable buffer over in nmbd during the processing
of GETDC logon server requests.  This code is only used
when the Samba server is configured as a Primary or Backup
Domain Controller.


==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.0.27 has been issued as a security
release to correct the defect.


==========
Workaround
==========

Samba administrators may avoid this security issue by disabling
both the "domain logons" and the "domain master" options in in
the server's smb.conf file.  Note that this will disable all
domain controller features as well.


=======
Credits
=======

This vulnerability was discovered by Samba developers during
an internal code audit.

The time line is as follows:

* Sep 13, 2007: Initial report to security@samba.org including
  proposed patch.
* Sep 14, 2007: Patch review by members of the Josh Bressers
  (RedHat Security Team) and Simo Sorce (Samba/RedHat developer)
* Nov 15, 2007: Public security advisory made available.



==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHPEeNIR7qMdg1EfYRAmKMAKCDcXmqRSNbCHZFS4GzGo7oVUl08gCfS/sY
d6F8+jrnT59SZgCXfftImEA=
=oC2/
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC