[SECURITY] Samba 2.2.8 available for download

Andrew Bartlett abartlet at samba.org
Sun Mar 30 22:58:49 GMT 2003 

On Mon, 2003-03-31 at 06:12, Green, Paul wrote:
> Green, Paul [mailto:Paul.Green at stratus.com] wrote:
> > The 2.2.8 release notes say:
> > 
> > > A buffer overrun condition exists in the SMB/CIFS packet fragment
> > > re-assembly code in smbd which would allow an attacker to cause smbd
> > > to overwrite arbitrary areas of memory in its own process address
> > > space. This could allow a skilled attacker to inject binary specific
> > > exploit code into smbd.
> 
> I have written a short test case (available upon request) to confirm that
> Stratus VOS, when running on the HP PA-RISC hardware, is not susceptible to
> such an attack.  While such an attack can indeed be used to insert code onto
> the VOS stack, as soon as the processor attempts to begin executing the code
> it will take a no-execute permission fault or an invalid-page fault.
> Therefore, the last sentence of this warning in the 2.2.8 release notes
> about "inject[ing] binary specific exploit code into smbd" does not apply to
> VOS on HP PA-RISC.
> 
> As other experts have noted, there are probably other OS/Hardware
> combinations that are also immune to this attack.  I hope other maintainers
> will post such information so that we can have a public record, and not
> needlessly scare our customers.

I would not be so confident.  You don't need to modify the code that
will be executed, or cause a jump to your exploit to cause mischief.  If
you can overwrite an arbitrary position in memory, I'm sure you can find
some variable that is critical to Samba's internal state, and go from
there.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030331/a405397b/attachment.bin

More information about the samba-technical mailing list