Ravens PHP Scripts

Samba Denial of Service and Format String Vulnerability
Date: Tuesday, February 06, 2007 @ 05:52:21 PST
Topic: Security


SECUNIA ADVISORY ID: SA24046

VERIFY ADVISORY: http://secunia.com/advisories/24046/

CRITICAL: Moderately critical

IMPACT: DoS, System access

SOFTWARE: Samba 3.x - http://secunia.com/product/2999/

DESCRIPTION: Some vulnerabilities have been reported in Samba, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.




1) Under certain conditions, smbd fails to remove requests from the deferred file open queue. This can be exploited to cause a DoS due to heavy resource usage by triggering an infinite loop when renaming a file under special circumstances.

2) Samba uses filenames as format string parameter in a call to "sprintf()" when setting Windows NT Access Control Lists using the afsacl.so VFS plugin. This can potentially be exploited to execute arbitrary code.

Successful exploitation requires that an AFS file system is shared to CIFS clients using the afsacl.so VFS module and that the attacker has write access to the share.

SOLUTION: Update to version 3.0.24.

PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) The vendor credits zybadawg333.

ORIGINAL ADVISORY:
http://us1.samba.org/samba/security/CVE-2007-0452.html
http://us1.samba.org/samba/security/CVE-2007-0454.html






This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2737