[Samba] is there a known exploit of Samba "reply_netbios_packet()" Buffer Overflow Vulnerability please ?

roudoudou roudoud0u at free.fr
Mon Dec 24 18:33:27 GMT 2007 

Hi,
We're running samba 3.0.25a as a PDC on FreeBSD 6.1 in our office and
few weeks ago, our samba PDC (and soon all the service hosted on this
server) stop responding suddenly :-/ 
Everything went back to normal as soon as we disconnected from the
network, all the hosts that were in the same room as the  10.0.0.20
host (after asking the domain user connected at that moment to this
host, do disconnect from it)
Looking at the samba log file, i can read hundred of thousands entry
like the ones below (i get 100 Mo of log files for an hour of
activity, all related to this reply_netbios_packet function !)

-- 
Dec  3 13:22:10 mypdc nmbd[519]: [2007/12/03 13:22:10, 0]
libsmb/nmblib.c:send_u\ dp(791)
Dec  3 13:22:10 mypdc nmbd[519]:   Packet send failed to
10.0.0.20(138) ERRNO=No\ buffer space available
Dec  3 13:22:10 mypdc nmbd[519]: [2007/12/03 13:22:10, 0]
libsmb/nmblib.c:send_u\ dp(791)
Dec  3 13:22:10 mypdc nmbd[519]:   Packet send failed to
10.0.0.20(137) ERRNO=No\ buffer space available
Dec  3 13:22:10 mypdc nmbd[519]: [2007/12/03 13:22:10, 0]
nmbd/nmbd_packets.c:reply_netbios_packet(986)
Dec  3 13:22:10 mypdc nmbd[519]:   reply_netbios_packet: send_packet
to IP 10.0.\ 0.20 port 137 failed Dec  3 13:22:10 mypdc nmbd[519]:
[2007/12/03 13:22:10, 0] libsmb/nmblib.c:send_udp(791)
Dec  3 13:22:10 mypdc nmbd[519]:   Packet send failed to
10.0.0.20(138) ERRNO=No\ buffer space available
Dec  3 13:22:10 mypdc nmbd[519]: [2007/12/03 13:22:10, 0]
libsmb/nmblib.c:send_u\ dp(791)
Dec  3 13:22:10 mypdc nmbd[519]:   Packet send failed to
10.0.0.20(137) ERRNO=No\ buffer space available
(...)


After googling a bit, it looks obvious to me that our samba PDC faced
some kind of denial of service attack taking
advantage of the recent Samba "reply_netbios_packet()" Buffer Overflow
Vulnerability (http://secunia.com/secunia_research/2007-90/advisory/ )
and that the attackers was one of our corporate user. 
So before patching our samba server, i would be thankfull to anyone
who could help me understand a little bit what really happened and
especially let me know:

* if we can reasonably say that it's indeed looks like an attack
exploiting the reply_netbios_packet()" Buffer Overflow vulnerability  ?
Could it be possible that this issue could have been triggered
accidentally ? Or definitely, taking advantage of this
vulnerability needs from the attacker to write and/or use some kind of
exploit ? 

* If so, is there a known exploit targeting this vulnerability ? Our
users are not developers so i'm thinking that the attacker must have
used a known exploit :-/

For information, "wins suppport" is disabled in our PDC, but it
seems that the attacker was still able to succeed in its DOS attack !?
$ testparm -sv | grep "wins support"
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
        wins support = No

Thanks in advance for your help :-)
Cheers,

More information about the samba mailing list