Slightly edited report below --- Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "reply_netbios_packet()" function in nmbd/nmbd_packets.c when sending NetBios replies. This can be exploited to cause a stack-based buffer overflow by sending multiple specially crafted WINS "Name Registration" requests followed by a WINS "Name Query" request. Successful exploitation allows execution of arbitrary code, but requires that Samba is configured to run as a WINS server (the "wins support" option is enabled). The vulnerability is confirmed in version 3.0.26a. Prior versions may also be affected. Vulnerability Details: ---------------------- The vulnerability is caused by incorrectly calling "memcpy()" at line 967 in nmbd/nmbd_packets.c without ensuring that the "nmb->answers- >rdata" array (576 bytes) has enough allocated space. Exploitation: ------------- Secunia Research has created a PoC for the vulnerability, which is available upon request. The vulnerability can also be reproduced by sending 250 "Name Registration" requests for different names having the "0x1b" type and sending a "Name Query" request for the "*....\x1b" name. Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA27450 and CVE identifier CVE-2007-5398. Credits should go to: Alin Rad Pop, Secunia Research.
Proposed upstream patch. diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c index d49c8ba..b78ab5b 100644 --- a/source/nmbd/nmbd_packets.c +++ b/source/nmbd/nmbd_packets.c @@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name), nmb->answers->ttl = ttl; if (data && len) { + if (len < 0 || len > sizeof(nmb->answers->rdata)) { + DEBUG(5,("reply_netbios_packet: " + "invalid packet len (%d)\n", + len )); + return; + } nmb->answers->rdlength = len; memcpy(nmb->answers->rdata, data, len); }
Hi Tiziano, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet.
Created attachment 135044 [details] samba-3.0.26a-r2.ebuild
Created attachment 135045 [details, diff] files/3.0.26a-CVE-2007-5398.patch
@rbu: I don't think this is a question of whether I want it or not. Attached is a revision bump of 3.0.26a-r1 which includes the proposed fix. 3.0.26a-r1 is a small improvement over the former 3.0.26a ebuild and adds a small fix (which fixes a bug in the client library only). Both 3.0.26a and 3.0.26a-r1 were/are not yet stable, but ready (3.0.26a has been committed October 15th). I'd really appreciate it, if we could test and mark stable 3.0.26a (which is the recommended version according to upstream anyway).
Arches liaisons, please test attached ebuild and report back here. Do not commit anything for the moment.
Works for HPPA.
GLSA filed.
looks good on ppc64, too.
Adding armin for alpha
Works fine on alpha/ia64/sparc/x86
looks good for ppc
Adding Chris for releng. Steve, do you have time to test on amd64?
Official disclosure is in about 48 hours. For once, the GLSA draft is almost ready and we have an opportunity to publish it in time! so Chris, Steve, please test on amd64, or cc another amd64 guy if you don't have time. thanks :)
(In reply to comment #13) > Adding Chris for releng. > > Steve, do you have time to test on amd64? > is good to go on amd64
Tiziano, the vulnerability should be disclosed tomorrow at 10:00 CET. As soon as you have time after that, please check this URL: http://secunia.com/secunia_research/2007-90/ If the advisory is public, please do the straight stable bump for all the arches that gave an OK on this bug. If you cannot do the commit for some reason, please let us or someone else know.
(In reply to comment #16) > If you cannot do the commit for some > reason, please let us or someone else know. Of course, let us know. And let us or someone else do the commit, is what I meant.
Also reporting sparc good (all tests pass).
Ok, I committed 3.0.26a-r2 as stable on the mentioned archs. In addition to that, I also committed 3.0.27 which upstream released as a pure security release for CVE-2007-5398 AND for CVE-2007-4572, for which we don't have a security bug open yet (at least, I don't know of any). So, I'd like to ask all arch teams to test and mark stable 3.0.27 to get CVE-2007-4572 fixed as well. But the final decision for this is up to the security team.
Opening as this is public by $URL. (In reply to comment #19) > So, I'd like to ask all arch teams to test and mark stable 3.0.27 to get > CVE-2007-4572 fixed as well. But the final decision for this is up to the > security team. Thanks for noticing. Well, then we have to start the stabling dance again. Arches, please test and mark stable net-fs/samba-3.0.27. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Sparc stable, all tests run as expected.
Is this harmful? TEST FAILED: /dev/shm/portage/net-fs/samba-3.0.27/work/samba-3.0.27/source/bin/replacetort (status 255)
x86 stable
(In reply to comment #22) > Is this harmful? Stable for HPPA despite the unanswered question...
amd64 stable
alpha/ia64 stable
ppc stable, what about #199450 though?
ppc64 stable
glsa was filed. dev-zero, please let us know how to proceed about the regression.
Ok, full stop for stabilization of samba-3.0.27 (well, a bit late, sorry). I p.masked net-fs/samba-3.0.27 due to bug #199450 (thanks to Tobias). Users should upgrade to 3.0.26-r2 as soon as possible. Users who have 3.0.27 already installed should downgrade.
Will you apply the fix for CVE-2007-4572 to .26a? http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007-4572.patch
no, since 3.0.27 doesn't seem to contain anything else than the two patches and that one seems to be the cause of the regression (as far as I know up to now).
@jer: I guess you ran the tests on an ext3 volume with acl's active?
mips stable.
Upgrading status to B0 and setting [tempglsa]
temporary GLSA 200711-29 sent, waiting for upstream to correct the regression...
Fixed version 3.0.27a is now in CVS with keywords reset. Security-Team: your turn again (hopefully last one for this version).
Thanks. Arches, please test and mark stable net-fs/samba-3.0.27a. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
alpha/ia64/sparc stable
Stable for HPPA.
ppc stable
amd64 done...
All done, thanks.
GLSA 200711-29 finally updated, closing.