|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0882: Samba 3.x heap overflow | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | heiko.rommel, lmuelle, qa-bugs, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0882: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | proof-of-exploitability.txt | ||
|
Description
Sebastian Krahmer
2004-09-27 16:54:59 UTC
<!-- SBZ_reproduce --> ... CAN-2004-0815 CAN-2004-0882 Samba 3.x unicode filename buffer overflow Forget comment #2, it is wrong. Any news on this? apparently this changeset diff contains the fix: http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/smbd/trans2.c?rev=2636&r1=2197&r2=2636 From: Stefan Esser <s.esser@e-Hi, > I can't find it in samba3 or samba-trunk, at least not in source/smbd/ > near trans2.c. Or perhaps I do not know what to look for. > > Anyone care to specify the actual patch? http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/smbd/trans2.c?rev=2636& +r1=2197&r2=2636 The use of the new constant #define DIR_ENTRY_SAFETY_MARGIN 4096 fixes the problem. Stefan Essermatters.de> Lars is on vacation -> move but to security team to process further. can we ,merge this with the current samba update, Lars? Was there any comment from Samba.org? If this bug is alredy announced I don't have a problem to merge this fix to the packages we did for bug 63019. The changeset mentioned in comment #5 is part of the Samba 3.0.8 release. I merge it to the currently waiting updates for SLES 9 and 9.2. As checked the Samba svn it looks like http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=2637 is the fix we need. This includes also a fix to source/smbd/nttrans.c and not only source/smbd/trans2.c. Author: Jeremy Allision <jraatSamba.org> Gerald 'Jerry' Carter will provide an update on this issue to the samba-pkg-sec list. I've added roundup_problem.diff to the package of SLES 9 and 9.2 and mbuilt both. I didn't mention CAN-2004-0882 in the changes. Nor did I modify the existing patchinfo files. From: "Gerald (Jerry) Carter" <jerry@samba.org> Subject: [Samba-pkg-sec] whatever happened to CAN-2004-0882? To: samba-pkg-sec@samba.org Cc: Date: Mon, 08 Nov 2004 13:52:45 -0600 X-Spam-Status: No, hits=-2.4 tagged_above=-20.0 required=5.0 tests=BAYES_20, MY_LINUX X-Spam-Level: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040617 Content-Type: text/plain; charset=us-ascii; format=flowed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In case anyone is interested in whatever happened to CAN-2004-0882, here's the summary: - -------- Original Message -------- Subject: Re: [vendor-sec] [SAMBA] CAN-2004-0930: Potential Remote Denial of Service Vulnerability in Samba 3.0.x <= 3.0.7 Date: Mon, 08 Nov 2004 13:49:54 -0600 From: Gerald (Jerry) Carter <jerry@samba.org> Gerald (Jerry) Carter wrote: | | This seems to contain the fix for the unicode fix | | Stefan Esser reported too. (CAN-2004-0815) | | | | Will you announce that officially? | | I'm confused. According to my records CAN-2004-0815 was a | remote file access bug in Samba 2.2.0 - 2.2.11 and Samba | 3.0.0 - 3.0.2a. The original announcement for that went | out on Sept 30, 2004 with and errata update on October 5, | 2004. | | And this seems to be supported by: | | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0815 | | The bug you are referring to was determined to be a crash | bug only. It was never assigned a CVE # to my knowledge | and never proven to be exploitable. | | <pauses on irc> | | ...so I was just informed that this was assigned a CVE # | (CAN-2004-0882 Samba 3.x unicode filename buffer overflow). | | That crash bug is fixed in 3.0.8. But Stefan never got | back to us to convince us that it was exploitable. | I'll talk to Stefan and our other developers to find out | where the communication broke down. | | Thanks for bring this to our attention. | I just spoke with Jeremy Allison (he was the main contact on this issue). The last correspondence we have from Stefan was that he would get back to us with evidence supporting the defect's exploitability. He never did. Nor were we ever informed of an assigned CVE #. So from our perspective, this is still just a crash bug. We are extremely grateful to Stefan for reporting this to us, but there will be no separate offical security announcement for CAN-2004-0882 at this time. It will just be listed as a normal bug fix in Samba 3.0.8. If anyone would like to backport the patch to 3.0.7, the svn diff can be downloaded via anonymous svn: svn diff -r 2636:2637 svn://svnanon.samba.org/samba/branches/SAMBA_3_0 or from viewcvs: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=2637 cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBj855IR7qMdg1EfYRAtnfAJ0VMyhvUN+Hk99X3F5fvr5FSYgYVgCfauno LAIUZ4vnmpIX8MudTtx5o84= =tK0s -----END PGP SIGNATURE----- _______________________________________________ samba-pkg-sec mailing list samba-pkg-sec@lists.samba.org http://lists.samba.org/mailman/listinfo/samba-pkg-sec So let us go further with testing and publishing bug 63019 and this. I've changed both patchinfo files slightly (still not mentioning any CAN id for this issue). From my side everything done. thanks lars! Date: Fri, 12 Nov 2004 09:54:30 +0100 From: Stefan Esser <s.esser@e-matters.de> To: vendor-sec@lst.de Cc: mm@lst.de, security@samba.org, s.esser@e-matters.de, jerry@samba.org, jra@samba.org Subject: CAN-2004-0882 Samba 3.x unicode filename buffer overflow User-Agent: Mutt/1.4.2.1i [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, Größe: 1,6K --] Good Morning, sometimes prejudices make people blind. Obviously this included me. I was so convinced that samba only sends filenames in unicode to make the protocol happy and not that it actually supports them fully. When I realised that today the whole exploit for Samba <= 3.0.7 was more or less pretty straight forward. Now exploiting this comes down to f.e. several calles to mkdir to create a path deep enough to overlow around (1024 + 8 - 72)/2-1 in length. The path simply must end in unicode characters like 0xFFFC 0xFFFF 0xFFFD 0xFFFF 0x5555 0x5555 0x6666 0x6666 where 0xFFFD 0xFFFF have to overwrite the malloc size field of the next chunk and 0x5555 0x5555 and 0x6666 0x6666 are the usual unlink overwrite positions. I have attached a complete output of a debugging session that proofs remote code execution. So I am planning to release my advisory on monday when the Samba team is going to release 3.0.9 (because of functionality bugs introduced with 3.0.8) Stefan Esser Created attachment 26053 [details]
proof-of-exploitability.txt
attachement to above mail. no sample code though, see mail
And there were more svn checkins related to this issue. Marcus and me decided to go with the current package version and to wait for additional comments by the Samba Team. From: "Gerald (Jerry) Carter" <jerry@samba.org> Subject: [Samba-pkg-sec] CAN-2004-0882 Samba 3.x unicode filename buffer overflow To: samba-pkg-sec@samba.org Date: Fri, 12 Nov 2004 11:38:58 -0600 Content-Type: text/plain; charset=ISO-8859-1; format=flowed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks like this was did turn out to be explitable in Samba 3.0.x <= 3.0.7. We'll send out a patch fro 3.0.7 later today. The public security announcement will be released Monday afternoon CST (GMT-6). I'll get an exact time out later today as well. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBlPUyIR7qMdg1EfYRAuZ9AJ4u517/JrDzt+9eb533nT8CrvJGxQCg1Vek LP13bxaLacHmyyaw+V7caKY= =iv6g -----END PGP SIGNATURE----- After the Samba security fix is before the Samba security fix. As soon as I'll have the announced patch I'll prepare fixed packages and a new patchinfo. From: "Gerald (Jerry) Carter" <jerry@samba.org> Subject: Re: [Samba-pkg-sec] CAN-2004-0882 Samba 3.x unicode filename buffer overflow To: samba-pkg-sec@samba.org Cc: Date: Fri, 12 Nov 2004 16:14:06 -0600 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerald (Jerry) Carter wrote: | Looks like this was did turn out to be explitable | in Samba 3.0.x <= 3.0.7. We'll send out a patch fro 3.0.7 | later today. | | The public security announcement will be released Monday | afternoon CST (GMT-6). I'll get an exact time out later | today as well. | And here's the patch for 3.0.7 that addresses Stefan's concerns (CAN-2004-0882). We'll plan to do a public security announcement on Monday, November 15, at 7am EST (GMT-5). The 3.0.9 release will probably happen on Monday as well just out of coincidence. But it is unrelated to any known security holes. cheers, jerry -----BEGIN PGP SIGNATURE----- Patch is already part of the last update for bug 63019 Marcus: So please just allign your announcement to the date Jerry mentioned in comment #23. packages approved, advisory released. CVE-2004-0882: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |