Bug 64119 - (CVE-2004-1154) VUL-0: CVE-2004-1154: samba: Remote code execution in samba
(CVE-2004-1154)
VUL-0: CVE-2004-1154: samba: Remote code execution in samba
Status: RESOLVED DUPLICATE of bug 64804
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Critical
: ---
Assigned To: Thomas Biege
Security Team bot
:
Depends on: 64221 64804 64947
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-10 17:16 UTC by Marcus Meissner
Modified: 2017-04-20 14:43 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch that was included in advisory (420.97 KB, patch)
2004-12-10 17:17 UTC, Ludwig Nussel
Details | Diff
patchinfo-box.smb (668 bytes, text/plain)
2004-12-14 21:45 UTC, Thomas Biege
Details
patchinfo-box.smb-winbind (684 bytes, text/plain)
2004-12-14 21:46 UTC, Thomas Biege
Details
patchinfo.smb-slec (463 bytes, text/plain)
2004-12-14 21:46 UTC, Thomas Biege
Details
patchinfo.smb-sles8 (521 bytes, text/plain)
2004-12-14 21:46 UTC, Thomas Biege
Details
patchinfo.smb-sles9 (541 bytes, text/plain)
2004-12-14 21:47 UTC, Thomas Biege
Details
samba2-secfix-intoverflow.diff (111.99 KB, patch)
2004-12-17 03:31 UTC, Thomas Biege
Details | Diff
samba-2.2.12-CAN-2004-1154.patch (291.87 KB, patch)
2004-12-24 18:21 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2004-12-10 17:16:04 UTC
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Thu, 09 Dec 2004 15:25:32 -0600
From: "Gerald (Jerry) Carter" <jerry@samba.org>
To: vendor-sec@lst.de
Cc: security@samba.org, vendor-disclosure <vendor-disclosure@idefense.com>
Subject: [vendor-sec] CAN-2004-1154: Integer overflow could lead to remote code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:	Possible remote code execution
== CVE ID#: 	CAN-2004-1154
==
== Versions:	Samba 2.x & 3.0.x <= 3.0.9
==
== Summary: 	A potential integer overflow when
==		unmarshalling specific MS-RPC requests
==		from clients could lead to heap
==		corruption and remote code execution.
==
==========================================================

| Our plans are to release 3.0.10 on Thursday, December
| 16, 6am CST (GMT-6) to address this security hole
| and one other segv fault.
|
| The patch is rather large due to the fact that once
| you point out one integer overflow, everyone starts
| looking for more.  The changes address the specific
| issue that was originally reported as well as attempting
| to reduce the possibility of similar exploits following
| the public announcement.


===========
Description
===========

Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could
allow an attacker to cause controllable heap corruption,
leading to execution of arbitrary commands with root
privileges.

Successful remote exploitation allows an attacker to
gain root privileges on a vulnerable system. In order
to exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba server.
Unsuccessful exploitation attempts will cause the process
serving the request to crash with signal 11, and may leave
evidence of an attack in logs.


==================
Patch Availability
==================

A patch for Samba 3.0.9 (samba-3.0.9-CAN-2004-1154.patch)
has been attached to this mail.  The patch has been
signed with the "Samba Distribution Verification Key"
(ID F17F9772).


=============================
Protecting Unpatched Servers
=============================

The Samba Team always encourages users to run the latest
stable release as a defense against attacks.  However,
under certain circumstances it may not be possible to
immediately upgrade important installations.  In such
cases, administrators should read the "Server Security"
documentation found at

http://www.samba.org/samba/docs/server_security.html.


=======
Credits
=======

This security issue was reported to Samba developers by
iDEFENSE Labs.  The vulnerability was discovered by Greg
MacManus, iDEFENSE Labs.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBuMLMIR7qMdg1EfYRAjyRAJsFssPgXa5aekh7E9WvN5lmapVlNQCfdIc4
kap3fYavz2WwvekK/H5Rx5A=
=mRQC
-----END PGP SIGNATURE-----
Comment 1 Ludwig Nussel 2004-12-10 17:17:34 UTC
Created attachment 26942 [details]
patch that was included in advisory
Comment 2 Lars Müller 2004-12-11 00:21:37 UTC
Ralf:  We should include this into SP 1.  The patch is a generic fix of the problem.
Comment 3 Ralf Flaxa 2004-12-11 00:53:16 UTC
Can we be sure that the release deadline will stay at Thu Dec 16th? 
This would match our RC2 release date, so we could integrate this 
in the RC2 code on Monday and I would approve it as we have to 
retest it anyways and remote code execution is a serious problem. 
 
Comment 4 Lars Müller 2004-12-12 22:31:19 UTC
Ralf: Gerald (Jerry) Carter confirmed the release date also to another vendor.

IM: Could you please ask vendor-sec if one of the vendors did the backport for
Samba 2.2.  If not I'll have to do this on Tuesday.
Comment 5 Jim McDonough 2004-12-13 23:55:24 UTC
This patch appears clean to me, but as with anything this pervasive, the more
testing done, the better.  The actual functional change is to a very small piece
of the code, but the changes were made far beyond that to centralize memory
allocation.
Comment 6 Lars Müller 2004-12-14 05:40:52 UTC
Done the work on SLES 9 SP 1.  If we got 3.0.10 till tomorrow morning we'll make
the version update.  If not we have to stay with 3.0.9.  This was already
approved by Ralf <rf>.

Todo:

Backport 3.0.4 for SLES 9 GA relase or version update to the SLES 9 SP 1 level.
 Might in this case be the most effective approach as the patch is really large
and we have the testing for SLES 9 SP 1.

Backport to the 3.0.7 of 9.2 and 2.2.8a of SLES 8.
Comment 7 Lars Müller 2004-12-14 18:36:01 UTC
After discussion with Marcus <meissner>, Ralf <rf> and Andreas <aj> we decided
to use the Samba 3.0.9 as from SLES 9 SP 1 also for the current security fix of
SLES 9 GA, 9.1, and 9.2.

The version updates to SLES 9 GA and 9.2 are approved by the project managers.

Packages submitted for 9.1 and 9.2.  Both are mbuilded and slightly tested.

Todo: Samba 2.2.8a of SLES 8 and older SuSE Linux versions.
Comment 8 Thomas Biege 2004-12-14 21:41:10 UTC
SM-Tracker - 73 
Comment 9 Thomas Biege 2004-12-14 21:45:57 UTC
Created attachment 27037 [details]
patchinfo-box.smb
Comment 10 Thomas Biege 2004-12-14 21:46:16 UTC
Created attachment 27038 [details]
patchinfo-box.smb-winbind
Comment 11 Thomas Biege 2004-12-14 21:46:36 UTC
Created attachment 27039 [details]
patchinfo.smb-slec
Comment 12 Thomas Biege 2004-12-14 21:46:54 UTC
Created attachment 27040 [details]
patchinfo.smb-sles8
Comment 13 Thomas Biege 2004-12-14 21:47:12 UTC
Created attachment 27041 [details]
patchinfo.smb-sles9
Comment 14 Lars Müller 2004-12-16 19:10:58 UTC
Packages submitted for 9.1 and 9.2 again.  The have now the same code base as
the package for SLES 9 SP 1.
Comment 15 Lars Müller 2004-12-16 22:07:11 UTC
Attention:  For 9.2 we have to ensure to remove the samba-doc package as there
is a broken preun scriptlet in an installed package.

It is without any risk to deinstall the samba-doc package as this package only
includes documentation (surprise) and no config at all.

This should be done by some kind of script in the patchinfo.
Comment 16 Ludwig Nussel 2004-12-16 22:14:01 UTC
* This comment was added by mail.
Evil, evil, evil!
Comment 17 Marcus Meissner 2004-12-17 00:29:01 UTC
issue is now public: 
 
From: Gerald Carter <jerry@samba.org> 
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) 
To: bugtraq@securityfocus.com 
Cc: security@samba.org 
Subject: [SAMBA] CAN-2004-1154 : Integer overflow could lead to remote code 
 execution in Samba 2.x,  3.0.x <= 3.0.9 
Old-Content-Type: text/plain; charset=ISO-8859-1; format=flowed 
 
[-- PGP Ausgabe folgt (aktuelle Zeit: Do 16 Dez 2004 17:28:40 CET) --] 
gpg: Unterschrift vom Do 16 Dez 2004 13:17:29 CET, DSA Schlüssel ID D83511F6 
gpg: Unterschrift kann nicht geprüft werden: Öffentlicher Schlüssel nicht 
+gefunden 
 
[-- Ende der PGP-Ausgabe --] 
 
[-- BEGIN PGP SIGNED MESSAGE --] 
 
========================================================== 
== 
== Subject:     Possible remote code execution 
== CVE ID#:     CAN-2004-1154 
== 
== Versions:    Samba 2.x & 3.0.x <= 3.0.9 
== 
== Summary:     A potential integer overflow when 
==              unmarshalling specific MS-RPC requests 
==              from clients could lead to heap 
==              corruption and remote code execution. 
== 
========================================================== 
 
 
=========== 
Description 
=========== 
 
Remote exploitation of an integer overflow vulnerability 
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, 
and Samba 3.0.x prior to and including 3.0.9 could 
allow an attacker to cause controllable heap corruption, 
leading to execution of arbitrary commands with root 
privileges. 
 
Successful remote exploitation allows an attacker to 
gain root privileges on a vulnerable system. In order 
to exploit this vulnerability an attacker must possess 
credentials that allow access to a share on the Samba server. 
Unsuccessful exploitation attempts will cause the process 
 serving the request to crash with signal 11, and may leave 
evidence of an attack in logs. 
 
 
================== 
Patch Availability 
================== 
 
A patch for Samba 3.0.9 (samba-3.0.9-CAN-2004-1154.patch) 
can be downloaded from 
 
        http://www.samba.org/samba/ftp/patches/security/ 
 
The patch has been signed with the "Samba Distribution 
Verification Key" (ID F17F9772). 
 
 
============================= 
Protecting Unpatched Servers 
============================= 
 
The Samba Team always encourages users to run the latest 
stable release as a defense against attacks.  However, 
under certain circumstances it may not be possible to 
immediately upgrade important installations.  In such 
cases, administrators should read the "Server Security" 
documentation found at 
 
http://www.samba.org/samba/docs/server_security.html. 
 
 
=======     
Credits 
======= 
 
This security issue was reported to Samba developers by 
iDEFENSE Labs.  The vulnerability was discovered by Greg 
MacManus, iDEFENSE Labs. 
 
 
========================================================== 
== Our Code, Our Bugs, Our Responsibility. 
== The Samba Team 
==========================================================    
 
Comment 18 Lars Müller 2004-12-17 01:46:19 UTC
Samba 3 packages at ftp.SuSE.com and download.Samba.org are update to darte.
Comment 19 Thomas Biege 2004-12-17 01:53:52 UTC
samba2 patch ready. currently stressed in test builds. 
Comment 20 Thomas Biege 2004-12-17 03:31:40 UTC
Created attachment 27150 [details]
samba2-secfix-intoverflow.diff

This patch compiles well under 9.0-i386.
Comment 21 Lars Müller 2004-12-17 15:09:40 UTC
At comment #15 and #16:  Please do a rpm -F --noscripts to the samba-doc package
for 9.2 only with a script called from the patchinfo.  Then we don't have to
deinstall samba-doc and everything should be fine.

I'll prepared packages based on Thomas work.  Thanks, thanks, thanks.
Comment 22 Thomas Biege 2004-12-17 17:40:24 UTC
 
This patch should be well tested b/c it's very huge and I coded it to the 
rhythm of some aggressive metal music. ;-D 
Comment 23 Ludwig Nussel 2004-12-17 17:55:23 UTC
There is no way to add --noscripts in YOU patches AFAIK 
Comment 24 Lars Müller 2004-12-17 20:26:00 UTC
Packages build fine with the patch added in comment #20.  Tested for ul1 with
LDAP sam.  PDC domain join works, user authentication works.
Comment 25 Lars Müller 2004-12-17 23:01:31 UTC
At comment 15:  It was bug 63160.  This only happens on 9.2.  The scripts were
never part of the SLES GA version.  For SLES SP 1 it was fixed early enought
with the changes from 2004-11-11.
Comment 26 Michael Schröder 2004-12-17 23:48:50 UTC
Problem with samba-doc fixed workarounded in the preinstall script of the
samba-doc update package. No need for extra YOU trickery.
Comment 27 Lars Müller 2004-12-17 23:51:41 UTC
Great.  Hero of labour (at least of today).  Thanks a lot.  It's much less
embarrassing to the outside.
Comment 28 Lars Müller 2004-12-20 05:49:54 UTC
The patchinfo files for the 3.0.9 might be wrong as they don't include all
packages which are part of the Samba 3.0.9 package.

The must contain:
libsmbclient
libsmbclient-devel
samba
samba
samba-client
samba-doc
samba-pdb
samba-python
samba-vscan
samba-winbind

We don't need to update ldapsmb as it's only a perl script.

As I'm on vacation for two weeks I move this bug to the security-team.
Comment 29 Thomas Biege 2004-12-20 16:22:43 UTC
Hello Harald, 
samba is already checked in so I can't change the package list. 
 
Can you handle it please? 
Comment 30 Harald Mueller-Ney 2004-12-20 20:38:01 UTC
We rejected and adjusted the patchinfos as needed.
All are checked in again.
Comment 31 Thomas Biege 2004-12-21 01:13:29 UTC
Thanks a lot. 
 
I'll write the Advisory tomorrow. 
Comment 32 Sebastian Krahmer 2004-12-22 22:33:43 UTC
Packages approved, advisory released.
Comment 33 Marcus Meissner 2004-12-24 18:15:22 UTC
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Fri Dec 24 11:15:22 2004, took initial reporter lnussel@suse.de to cc
Comment 34 Marcus Meissner 2004-12-24 18:15:22 UTC
we received reports of this update causing problems on 8.2 and 9.1 
Comment 35 Marcus Meissner 2004-12-24 18:17:30 UTC
From: Serkan Beyaz <snbeyaz@typ0.de> 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) 
Gecko/20040707 
To: Sebastian Krahmer <krahmer@suse.de>, meissner@suse.de 
Subject: Samba security update 
 
Hallo, 
 
sorry die Stoerung, aber kann es sein dass die letzten 
security rpms fuer Samba fehlerhaft sind ? 
 
Auf mehreren SuSE 9.1 Rechnern auf den der Patch installiert 
wurde liess sich Samba nicht mehr starten, sodass wir auf 
das rpm-Paket aus der Originaldistribution zurueckgreifen mussten. 
 
Ist da was bekannt bei Euch ? 
 
Liebe Gruesse, 
 
     Serkan 
 
 
Comment 36 Marcus Meissner 2004-12-24 18:21:23 UTC
Created attachment 27305 [details]
samba-2.2.12-CAN-2004-1154.patch

updated patch from redhat (not the same sources as ours from Thomas)!
Comment 37 Lars Müller 2004-12-24 21:36:05 UTC
Regrading comment #35: Please ask for more details.

I've checked the Samba update process with samba-3.0.9-2.1.5 and
samba-client-3.0.9-2.1.5 as from the update tree on a 9.1 system and everything
works well.
Comment 38 Thomas Biege 2005-01-07 21:30:43 UTC
I need a reproduceable or more detailed bug-report to fix this. 
Comment 39 Thomas Biege 2005-01-20 23:14:19 UTC
Ok, new patch is done (see bug 64804). 
Waiting for testing. 
Comment 40 Thomas Biege 2005-01-21 21:02:01 UTC

*** This bug has been marked as a duplicate of 64804 ***