Ravens PHP Scripts

Samba Multiple Buffer Overflow Vulnerabilities
Date: Thursday, November 15, 2007 @ 14:03:55 PST
Topic: Security


SECUNIA ADVISORY ID: SA27450

VERIFY ADVISORY: http://secunia.com/advisories/27450/

CRITICAL: Moderately critical

IMPACT: System access

WHERE: From local network

SOFTWARE:
Samba 3.x - http://secunia.com/product/2999/
Samba 2.x - http://secunia.com/product/1271/

DESCRIPTION: Some vulnerabilities have been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system.



1) A boundary error exists within the "reply_netbios_packet()" function in nmbd/nmbd_packets.c when sending NetBIOS replies. This can be exploited to cause a stack-based buffer overflow by sending multiple specially crafted WINS "Name Registration" requests followed by a WINS "Name Query" request. Successful exploitation allows execution of arbitrary code, but requires that Samba is configured to run as a WINS server (the "wins support" option is enabled).

2) A boundary error exists within the processing of GETDC logon requests. This can be exploited to cause a buffer overflow by sending specially crafted GETDC mailslot requests. Successful exploitation of the vulnerability requires that Samba is configured as a Primary or Backup Domain Controller.

The vulnerabilities are reported in version 3.0.26a. Other versions may also be affected.

SOLUTION: Apply patches or update to version 3.0.27.

Patches for version 3.0.26a:
http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007-5398.patch
http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007-4572.patch

PROVIDED AND/OR DISCOVERED BY:
1) Alin Rad Pop, Secunia Research.
2) Reported by the vendor.

ORIGINAL ADVISORY:
Secunia Research: http://secunia.com/secunia_research/2007-90/
Samba: http://us1.samba.org/samba/history/security.html






This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=3143