Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200773 (CVE-2007-6015) - net-fs/samba < 3.0.28 send_mailslot() "SAMLOGON" Buffer overflow (CVE-2007-6015)
Summary: net-fs/samba < 3.0.28 send_mailslot() "SAMLOGON" Buffer overflow (CVE-2007-6015)
Alias: CVE-2007-6015
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker (vote)
Assignee: Gentoo Security
Whiteboard: B0 [glsa]
Depends on:
Reported: 2007-11-29 20:18 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-04 08:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2007-0615.patch (CVE-2007-0615.patch,1.70 KB, patch)
2007-12-06 23:40 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
samba-3.0.27a-r1.ebuild (samba-3.0.27a-r1.ebuild,8.92 KB, text/plain)
2007-12-08 08:50 UTC, Tiziano Müller (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 20:18:32 UTC
Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"send_mailslot()" function. This can be exploited to cause a stack-based
buffer overflow with zero bytes via a specially crafted "SAMLOGON"
domain logon packet containing a username string placed at an odd offset
followed by an overly long GETDC string.

Successful exploitation allows execution of arbitrary code, but requires
that the "domain logon" option is enabled.

The vulnerability is confirmed in version 3.0.27a. Other versions may
also be affected.

Vulnerability Details:

The buffer overflow is triggered by the call to "set_message()" in
nmbd/nmbd_packets.c at line 1895. The "set_message()" function will call
a "memset()" to zero on "dgram->data" + 35 with a length bigger than the
available 576-35 bytes for an overly long total length for the SAMLOGON
GETDC, username, workgroup, and local hostname.

The vulnerability would at first glance be only triggerable in certain
unusual configurations with an overly long local workgroup or hostname
due to the limitations in size of the NetBIOS Datagram packet (576
bytes). However if an empty (two zero bytes) Unicode username is placed
at an odd offset within the SAMLOGON request, the "pull_ucs2_pstring()"
function called at line 365 in nmbd/nmbd_processlogon.c will convert the
whole GETDC string following the username into ascuser, allowing the
buffer overflow to take place in standard configurations.


Secunia Research has created a PoC for the vulnerability, which is
available upon request.

The vulnerability can also be reproduced by sending a SAMLOGON request
with an empty username placed at an odd offset and an overly long GETDC
string (around 250 bytes).

Closing comments:

We have assigned this vulnerability Secunia advisory SA27760 and CVE
identifier CVE-2007-6015.

A preliminary disclosure date of 2007-12-05 10am CET has been set, where
the details will be publicly disclosed. However, we are naturally
prepared to push the disclosure date if you need more time to address
the vulnerability.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 20:19:35 UTC
Upstream is working on a patch.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 23:40:55 UTC
Created attachment 137917 [details, diff]

You know the drill, please do not commit, but add an updated ebuild to this bug, so it can get testing and be committed to straight stable at the release date.
Comment 3 Tiziano Müller (RETIRED) gentoo-dev 2007-12-08 08:50:58 UTC
Created attachment 137995 [details]

Sorry for the delay, I was really busy yesterday...

The patch needs to be renamed to 3.0.27a-CVE-2007-0615.patch

Besides the requested patch, the ebuild fixes the bugs #200132 ("typo in elog") and #199934 ("oneliner to remove +x bit from headers").
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-08 11:47:07 UTC
Please test the attached ebuild and report back at this bug.

Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

Adding Arch Security Liaisons:
  alpha : ferdy
  amd64 : welp
   hppa : jer
    ppc : dertobi123
  ppc64 : corsair
  sparc : ferdy
    x86 : tsunam
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-08 17:53:50 UTC
make test does its job right up to the SMBTORTURE4 tests. This isn't a regression though, and all else looks OK for HPPA.
Comment 6 Peter Weller (RETIRED) gentoo-dev 2007-12-08 22:08:15 UTC
Ditto for amd64.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2007-12-09 07:58:24 UTC
looking as good on ppc64, too.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-12-09 10:59:21 UTC
Looks fine on alpha/ia64/sparc/x86
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-09 16:18:42 UTC
looks good for ppc
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-12-09 21:19:54 UTC
Please rename the patch to contain 6015 instead of 0615.

prestabled for all security supported arches. Tiziano, please prepare for a commit  on Tuesday. The time is not confirmed yet.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 02:07:07 UTC
Samba folks will release their advisory at about 15 UTC and Secunia did not reply to the schedule question.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 15:42:01 UTC
public now.
Comment 13 Tiziano Müller (RETIRED) gentoo-dev 2007-12-10 16:40:57 UTC
commited as 3.0.28 (as released by upstream, contains only the security update).
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 16:49:09 UTC
Arches, please test and mark stable net-fs/samba-3.0.28.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Missing keywords: "arm mips s390 sh"
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-10 21:09:35 UTC
GLSA 200712-10
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:53:00 UTC
Does not affect current (2008.0) release. Removing release.