[gentoo-announce] [ GLSA 200407-21 ] Samba: Multiple buffer overflows - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200407-21 ] Samba: Multiple buffer overflows
Date:	Thu, 29 Jul 2004 13:22:52
Message-Id:	`20040729132310.GV24932@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200407-21

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Samba: Multiple buffer overflows

9

      Date: July 29, 2004

10

      Bugs: #57962

11

        ID: 200407-21

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Two buffer overflows vulnerabilities were found in Samba, potentially

19

allowing the remote execution of arbitrary code.

20

21

Background

22

==========

23

24

Samba is a package which allows *nix systems to act as file servers for

25

Windows computers. It also allows *nix systems to mount shares exported

26

by a Samba/CIFS/Windows server. The Samba Web Administration Tool

27

(SWAT) is a web-based configuration tool part of the Samba package.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package       /   Vulnerable   /                       Unaffected

34

    -------------------------------------------------------------------

35

  1  net-fs/samba       >= 3.0.5                           <= 3.0.4-r1

36

37

Description

38

===========

39

40

Evgeny Demidov found a buffer overflow in SWAT, located in the base64

41

data decoder used to handle HTTP basic authentication (CAN-2004-0600).

42

The same flaw is present in the code used to handle the sambaMungedDial

43

attribute value, when using the ldapsam passdb backend. Another buffer

44

overflow was found in the code used to support the 'mangling method =

45

hash' smb.conf option (CAN-2004-0686). Note that the default Samba

46

value for this option is 'mangling method = hash2' which is not

47

vulnerable.

48

49

Impact

50

======

51

52

The SWAT authentication overflow could be exploited to execute

53

arbitrary code with the rights of the Samba daemon process. The

54

overflow in the sambaMungedDial handling code is not thought to be

55

exploitable. The buffer overflow in 'mangling method = hash' code could

56

also be used to execute arbitrary code on vulnerable configurations.

57

58

Workaround

59

==========

60

61

Users disabling SWAT, not using ldapsam passdb backends and not using

62

the 'mangling method = hash' option are not vulnerable.

63

64

Resolution

65

==========

66

67

All Samba users should upgrade to the latest version:

68

69

    # emerge sync

70

71

    # emerge -pv ">=net-fs/samba-3.0.5"

72

    # emerge ">=net-fs/samba-3.0.5"

73

74

References

75

==========

76

77

  [ 1 ] Samba 3.0.5 Release Notes

78

        http://www.samba.org/samba/whatsnew/samba-3.0.5.html

79

  [ 2 ] CAN-2004-0600

80

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600

81

  [ 3 ] CAN-2004-0686

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686

83

84

Availability

85

============

86

87

This GLSA and any updates to it are available for viewing at

88

the Gentoo Security Website:

89

90

    http://security.gentoo.org/glsa/glsa-200407-21.xml

91

92

Concerns?

93

=========

94

95

Security is a primary focus of Gentoo Linux and ensuring the

96

confidentiality and security of our users machines is of utmost

97

importance to us. Any security concerns should be addressed to

98

security@g.o or alternatively, you may file a bug at

99

http://bugs.gentoo.org.

100

101

License

102

=======

103

104

Copyright 2004 Gentoo Foundation, Inc; referenced text

105

belongs to its owner(s).

106

107

The contents of this document are licensed under the

108

Creative Commons - Attribution / Share Alike license.

109

110

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200407-21
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Samba: Multiple buffer overflows
9	Date: July 29, 2004
10	Bugs: #57962
11	ID: 200407-21
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Two buffer overflows vulnerabilities were found in Samba, potentially
19	allowing the remote execution of arbitrary code.
20
21	Background
22	==========
23
24	Samba is a package which allows *nix systems to act as file servers for
25	Windows computers. It also allows *nix systems to mount shares exported
26	by a Samba/CIFS/Windows server. The Samba Web Administration Tool
27	(SWAT) is a web-based configuration tool part of the Samba package.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 net-fs/samba >= 3.0.5 <= 3.0.4-r1
36
37	Description
38	===========
39
40	Evgeny Demidov found a buffer overflow in SWAT, located in the base64
41	data decoder used to handle HTTP basic authentication (CAN-2004-0600).
42	The same flaw is present in the code used to handle the sambaMungedDial
43	attribute value, when using the ldapsam passdb backend. Another buffer
44	overflow was found in the code used to support the 'mangling method =
45	hash' smb.conf option (CAN-2004-0686). Note that the default Samba
46	value for this option is 'mangling method = hash2' which is not
47	vulnerable.
48
49	Impact
50	======
51
52	The SWAT authentication overflow could be exploited to execute
53	arbitrary code with the rights of the Samba daemon process. The
54	overflow in the sambaMungedDial handling code is not thought to be
55	exploitable. The buffer overflow in 'mangling method = hash' code could
56	also be used to execute arbitrary code on vulnerable configurations.
57
58	Workaround
59	==========
60
61	Users disabling SWAT, not using ldapsam passdb backends and not using
62	the 'mangling method = hash' option are not vulnerable.
63
64	Resolution
65	==========
66
67	All Samba users should upgrade to the latest version:
68
69	# emerge sync
70
71	# emerge -pv ">=net-fs/samba-3.0.5"
72	# emerge ">=net-fs/samba-3.0.5"
73
74	References
75	==========
76
77	[ 1 ] Samba 3.0.5 Release Notes
78	http://www.samba.org/samba/whatsnew/samba-3.0.5.html
79	[ 2 ] CAN-2004-0600
80	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600
81	[ 3 ] CAN-2004-0686
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686
83
84	Availability
85	============
86
87	This GLSA and any updates to it are available for viewing at
88	the Gentoo Security Website:
89
90	http://security.gentoo.org/glsa/glsa-200407-21.xml
91
92	Concerns?
93	=========
94
95	Security is a primary focus of Gentoo Linux and ensuring the
96	confidentiality and security of our users machines is of utmost
97	importance to us. Any security concerns should be addressed to
98	security@g.o or alternatively, you may file a bug at
99	http://bugs.gentoo.org.
100
101	License
102	=======
103
104	Copyright 2004 Gentoo Foundation, Inc; referenced text
105	belongs to its owner(s).
106
107	The contents of this document are licensed under the
108	Creative Commons - Attribution / Share Alike license.
109
110	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce