[Samba] CAN-2004-1154 : Integer overflow could lead to remote
code execution in Samba 2.x, 3.0.x <= 3.0.9
David Schlenk
david-schlenk at bethel.edu
Thu Dec 16 16:17:29 GMT 2004
Today's security patch doesn't work if you also want to use the
printing patch for 3.0.9 mentioned recently on this list.
Build error:
Linking bin/smbd
printing/printing.o(.text+0x2d4b): In function `print_queue_update':
printing/printing.c:1421: undefined reference to `smb_xmalloc'
collect2: ld returned 1 exit status
make: *** [bin/smbd] Error 1
This is patching with the printing patch first, followed by the
security patch, using the %patch macros of rpm. I'll try the other way
around, but it takes awhile on my slow test box, so I thought I'd see
if anyone had any success building with both patches.
On Dec 16, 2004, at 6:17 AM, Gerald Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ==========================================================
> ==
> == Subject: Possible remote code execution
> == CVE ID#: CAN-2004-1154
> ==
> == Versions: Samba 2.x & 3.0.x <= 3.0.9
> ==
> == Summary: A potential integer overflow when
> == unmarshalling specific MS-RPC requests
> == from clients could lead to heap
> == corruption and remote code execution.
> ==
> ==========================================================
>
>
> ===========
> Description
> ===========
>
> Remote exploitation of an integer overflow vulnerability
> in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
> and Samba 3.0.x prior to and including 3.0.9 could
> allow an attacker to cause controllable heap corruption,
> leading to execution of arbitrary commands with root
> privileges.
>
> Successful remote exploitation allows an attacker to
> gain root privileges on a vulnerable system. In order
> to exploit this vulnerability an attacker must possess
> credentials that allow access to a share on the Samba server.
> Unsuccessful exploitation attempts will cause the process
> serving the request to crash with signal 11, and may leave
> evidence of an attack in logs.
>
>
> ==================
> Patch Availability
> ==================
>
> A patch for Samba 3.0.9 (samba-3.0.9-CAN-2004-1154.patch)
> can be downloaded from
>
> http://www.samba.org/samba/ftp/patches/security/
>
> The patch has been signed with the "Samba Distribution
> Verification Key" (ID F17F9772).
>
>
> =============================
> Protecting Unpatched Servers
> =============================
>
> The Samba Team always encourages users to run the latest
> stable release as a defense against attacks. However,
> under certain circumstances it may not be possible to
> immediately upgrade important installations. In such
> cases, administrators should read the "Server Security"
> documentation found at
>
> http://www.samba.org/samba/docs/server_security.html.
>
>
> =======
> Credits
> =======
>
> This security issue was reported to Samba developers by
> iDEFENSE Labs. The vulnerability was discovered by Greg
> MacManus, iDEFENSE Labs.
>
>
> ==========================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ==========================================================
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBwXzdIR7qMdg1EfYRAvnVAKCgJxELPsRo2oIwBcUq+wKNkjB3BwCgzn5l
> 3PtHselUE/u/xxC7PRYpxyA=
> =8JRM
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
David Schlenk
Operating Systems Analyst
Bethel University
Saint Paul, Minnesota
david-schlenk at bethel.edu
More information about the samba
mailing list