SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#457622

Samba QFILEPATHINFO handling routine contains a remotely exploitable buffer overflow

Overview

Samba is vulnerable to a buffer overflow that may allow a remote attacker to execute arbitrary code with root privileges.

I. Description

Samba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). A lack of bounds checking in the TRANSACT2_QFILEPATHINFO request handling routine may allow a buffer overflow. An attacker can exploit this vulnerability by sending a specially crafted TRANSACT2_QFILEPATHINFO request to a vulnerable Samba server. When the server attempts to create a response, the buffer overflow occurs.

To successfully exploit this vulnerability, the path and file requested must be valid, i.e. the file must exist on the Samba share in the location specified, and the name of the file in the path must contain unicode characters. An attacker with write access to a share could create such a path and filename.

Note an attacker must be authenticated to the Samba server. However, a user with anonymous access may be able to exploit this vulnerability.

According to reports, Samba versions 3.0.7 and prior are vulnerable. Samba version 2.x are not vulnerable.

More detailed information is available in e-matters security advisory 13/2004.

II. Impact

An remote attacker could execute arbitrary code. The Samba daemon (smbd) typically runs with root privileges, in which case an attacker could gain complete control of a vulnerable system. An attacker may also be able to mount a denial-of-service attack.

III. Solution

Upgrade Samba


This issue has been corrected in Samba version 3.0.8. Please see the Samba download page for more details.

Restrict Access to Samba

As a general security best practice, restrict access to Samba services to hosts and networks that require those services. Consider blocking Samba traffic at network borders.

Consult Samba Security Guidelines

The Samba Team has a website listing ways to secure a Samba server.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Unknown17-Nov-2004
BSDIUnknown17-Nov-2004
ConectivaUnknown17-Nov-2004
Cray Inc.Unknown17-Nov-2004
DebianNot Vulnerable18-Nov-2004
EMC CorporationUnknown17-Nov-2004
EngardeUnknown17-Nov-2004
F5 NetworksUnknown17-Nov-2004
FreeBSDUnknown17-Nov-2004
FujitsuUnknown17-Nov-2004
Hewlett-Packard CompanyUnknown17-Nov-2004
HitachiUnknown17-Nov-2004
IBMUnknown17-Nov-2004
IBM-zSeriesUnknown17-Nov-2004
IBM eServerUnknown17-Nov-2004
ImmunixUnknown17-Nov-2004
Ingrian NetworksUnknown17-Nov-2004
Juniper NetworksNot Vulnerable6-Dec-2004
MandrakeSoftUnknown17-Nov-2004
Microsoft CorporationUnknown17-Nov-2004
MontaVista SoftwareUnknown17-Nov-2004
NEC CorporationVulnerable20-Apr-2005
NETBSDUnknown17-Nov-2004
NovellUnknown17-Nov-2004
OpenBSDUnknown17-Nov-2004
Openwall GNU/*/LinuxUnknown17-Nov-2004
Red Hat Inc.Unknown17-Nov-2004
Samba TeamVulnerable17-Nov-2004
SCOUnknown17-Nov-2004
SequentUnknown17-Nov-2004
SGIUnknown17-Nov-2004
Sony CorporationUnknown17-Nov-2004
Sun Microsystems Inc.Not Vulnerable3-Feb-2005
SuSE Inc.Vulnerable18-Nov-2004
TurboLinuxNot Vulnerable20-Apr-2005
UnisysUnknown17-Nov-2004
Wind River Systems Inc.Unknown17-Nov-2004

References


http://security.e-matters.de/advisories/132004.html
http://secunia.com/advisories/13189/
http://www.securitytracker.com/alerts/2004/Nov/1012235.html
http://www.osvdb.org/displayvuln.php?osvdb_id=11782

Credit

Thanks to Stefan Esser for reporting this vulnerability.

This document was written by Jeff Gennari.

Other Information

Date Public:2004-11-15
Date First Published:2004-11-17
Date Last Updated:2005-04-20
CERT Advisory: 
CVE-ID(s):CAN-2004-0882
NVD-ID(s):CAN-2004-0882
US-CERT Technical Alerts: 
Metric:8.62
Document Revision:148

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader