[SECURITY] Samba 2.2.8 available for download

Green, Paul Paul.Green at stratus.com
Mon Mar 31 14:42:31 GMT 2003


Andrew Bartlett [mailto:abartlet at samba.org] wrote:
> On Mon, 2003-03-31 at 06:12, Green, Paul wrote:
> > Green, Paul [mailto:Paul.Green at stratus.com] wrote:
> > > The 2.2.8 release notes say:
> > > 
> > > > A buffer overrun condition exists in the SMB/CIFS packet
> > > > fragment re-assembly code in smbd which would allow an
> > > > attacker to cause smbd to overwrite arbitrary areas of
> > > > memory in its own process address space. This could
> > > > allow a skilled attacker to inject binary specific
> > > > exploit code into smbd.
> > 
> > I have written a short test case (available upon request) to
> > confirm that Stratus VOS, when running on the HP PA-RISC
> > hardware, is not susceptible to such an attack.  While such
> > an attack can indeed be used to insert code onto the VOS
> > stack, as soon as the processor attempts to begin executing
> > the code it will take a no-execute permission fault or an
> > invalid-page fault. Therefore, the last sentence of this
> > warning in the 2.2.8 release notes about "inject[ing] binary
> > specific exploit code into smbd" does not apply to VOS on HP
> > PA-RISC.
> > 
> > As other experts have noted, there are probably other
> > OS/Hardware combinations that are also immune to this attack.
> > I hope other maintainers will post such information so that
> > we can have a public record, and not needlessly scare our
> > customers.
>
> I would not be so confident.  You don't need to modify the
> code that will be executed, or cause a jump to your exploit
> to cause mischief.  If you can overwrite an arbitrary
> position in memory, I'm sure you can find some variable
> that is critical to Samba's internal state, and go from
> there.  

I agree with your comment, but in my defense, I was trying to respond to the
comment in the release notes about injecting binary-specific exploit code.
That can't happen on VOS when it is running on PA-RISC.  We're in the
process of porting VOS to the Intel Pentium family, and one of the things
we're investigating is how to prevent this same attack on that chip.  We're
reasonably confident we'll be able to prevent this attack there, too.  I
think most of the attempts to attack Samba on VOS would result in denial of
service, but I agree it is possible that someone could get Samba to bypass
one of its internal checks.  I'm far more concerned about the issue of
injecting binary-specific code, because a successful attack of that type
would open up the entire resources of the machine to the attacker.

Having said all this, because some of my customers are interested in
receiving the 2.2.x version of Samba for VOS, and because the 2.2.x version
has the fix for the buffer overruns, and also because 3.0 is not yet ready
for prime time, I hope that the patches I'm submitting to 2.2.x will be
applied.  I'm willing to apply them myself, and monitor the build farm for
any fallout, if I'm granted access.  <plug> I've been porting Samba to VOS
since version 2.0.5, working on POSIX and open-source software since 1996,
and been a software developer since 1969. I have extensive experience in
operating systems and compilers and have been the architect and lead
developer for the Stratus VOS POSIX environment. I have made it a rule to
test all patches on both VOS and Solaris before submitting them to
samba-technical. I'm also the maintainer of the ports of Perl and OpenSSL to
VOS, among others. </plug>

Thanks
PG
--
Paul Green, Senior Technical Consultant,
Stratus Technologies, Maynard, MA USA
Voice: +1 978-461-7557; FAX: +1 978-461-3610






More information about the samba-technical mailing list