Bug 41086 (CVE-2003-0201)

Summary: VUL-0: CVE-2003-0201: samba: stack overflow in trans2
Product: [Novell Products] SUSE Security Incidents Reporter: Roman Drahtmueller <draht>
Component: IncidentsAssignee: Roman Drahtmueller <draht>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: lmuelle, meissner, qa-bugs, rf
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Roman Drahtmueller 2003-04-05 01:11:59 UTC 
From: Volker Lendecke <Volker.Lendecke@SerNet.DE>
To: draht@suse.de
Date: Fri, 04 Apr 2003 09:14:21 +0200
Subject: [tridge@samba.org: another root exploit]

------- Start of forwarded message -------
To: samba-team@samba.org
Date: Fri,  4 Apr 2003 05:38:11 +0000 (GMT)
From: tridge@samba.org
Subject: another root exploit

Team,

Erik Parker from digitaldefense.net has notified us about a root
exploit in 2.2.8. The problem is call_trans2open() in
smbd/trans2.c. It is trivial to overflow fname as the length is
specified in the packet.

Simple fix is this:

- --- smbd/trans2.c       25 Mar 2003 23:50:47 -0000      1.149.4.99
+++ smbd/trans2.c       4 Apr 2003 04:49:16 -0000
@@ -249,7 +249,7 @@
        pname = &params[28];
        namelen = strlen(pname)+1;
 
- -       StrnCpy(fname,pname,namelen);
+       StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
 
        DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
                fname,open_mode, open_attr, open_ofun, open_size));


but we need to look for similar attacks elsewhere.

As far as I can tell we are not vulnerable in the 3.x tree, as we use
srvstr_pull() with the right length limits.

Jerry has already talked to Erik about this. It sounds like we need a
2.2.9, with just this fix.

Please do not distribute knowledge of this bug outside the team at the
moment.

Cheers, Tridge
------- End of forwarded message -------
Comment 1 Roman Drahtmueller 2003-04-05 01:16:42 UTC 
patchinfo text:

A new flaw has been discovered in the samba SMB protocol implementation, known
as call_trans2open()-bug.
The flaw is a stack overflow and may allow a remote attacker to gain root
access to a system running a samba server. 

It is recommended to immediately install the update package as provided.
After applying the update, the samba server must be restarted for the
changed package to become effective. Please restart the samba server using the 
following command as root:

rcsmb restart

POSTIN: should be a text like
AFter the update, the samba server must be restarted. Please run the command
rcsmb restart
Comment 2 Roman Drahtmueller 2003-04-05 01:21:11 UTC 
putonftp Text:

ALL     8.2-ALL    %UPDATE8.2      dxp
Security update for a remotely exploitable buffer overflow in samba 
(call_trans2open()). The samba server must be restarted after the update
package has been installed: Run "rcsmb restart" as root after the update
is complete.
EOT
Dieses Sicherheitsupdate behebt einen über das Netzwerk nutzbaren Pufferüberlauf 
im Samba server (call_trans2open()). Der Samba-Dienst muß nach dem erfolgten
update neu gestartet werden: Starten Sie das Kommando "rcsmb restart" als root.
EOT
Comment 3 Lars Müller 2003-04-05 22:04:30 UTC 
All out versions are fixed. Waiting for the last mbuilds and writing now
putonftp and patchinfo files.

I'll assign this bug to me and reassig it to Roman as soon as I've all done.
Comment 4 Lars Müller 2003-04-06 22:24:49 UTC 
All done. An overview of the needed patchinfo and putonftp files is included.

patchinfo

distribution             package        reason       
7.0-server-i386, 70-s390 samba          smbclnt is already ok
sles7-i386               samba,smbclnt  last client update was canceled
sles7-i386+update        samba,samba-classic,samba-ldap,
                         smbclnt,samba-classic-client,samba-ldap-client
                                        last client update was canceled
sles7-ia64,7.2-s390,sles7-s390x
                         samba,smbclnt  last client update was canceled
ul1-i386,ul1-ia64,sles8-ppc,sles8.s390,sles8.s390x,sles7-ppc
                         samba          samba-client is already ok

putonftp

All putonftp files include also the client package as this is still needed for
the patch file of YOU. Am I right?
Comment 5 Lars Müller 2003-04-07 19:39:59 UTC 
The old patchinfo files are still valid even if we had to add some additional
patches.

Roman has created Laufzettel 0221.
Comment 6 Lars Müller 2003-04-07 22:54:00 UTC 
patchinfo md5 id overview

distribution             package              id
7.0-server-i386,7.0-s390 samba                3955ac6da8cea543c633c60be38a9bb1

sles7-i386               samba                204a57af76f39de0568e3b623d5bbc8e
                         smbclnt              98a3626267e1f69b6cd033f6b4055641

sles7-i386+update        samba                3c9b83a2cbe0be93ca783bec93dac096
                         samba-ldap           3f7caad7ebd4c2abcd492309993ce5ef
                         samba-classic        5d90070eaa7c088695edc5171afb5853
                         smbclnt              021ee6ec59acd1d29334095447eeef8d
                         samba-ldap-client    5a7bade1d295889dc5bb0805962313cd
                         samba-classic-client 0f3ca552ec1f5dfe7590715b6439786c

sles7-ia64,7.2-s390,sles7-s390x
                         samba                fcb4caa26c7908ed1e8a555b28711e8a
                         smbclnt              17f7aef2fd0599f39e07246436b14c40

ul1-i386,ul1-ia64,sles8-ppc,sles8-s390,sles8-s390x,sles7-ppc
                         samba                727fa1506b3debe49829772807f466fa
Comment 7 Sebastian Krahmer 2003-08-12 17:12:29 UTC 
This was an old issue. Closing.