Thursday, June 07, 2007

[UNIX] Samba Multiple Heap Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Samba Multiple Heap Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

Multiple vulnerabilities allow attackers to execute arbitrary code on
vulnerable installations of Samba via the RPC mechanism. User interaction
is not required to exploit this vulnerability.

DETAILS

Affected Products:
* Samba 3.0.0 - 3.0.25rc3

Samba lsa_io_privilege_set Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the LSA RPC
interface. When parsing a request to LsarAddPrivilegesToAccount, heap
allocation is calculated based on user input. By specifying invalid
values, heap blocks can be overwritten leading to remote code execution.

Samba netdfs_io_dfs_EnumInfo_d Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the DFS RPC
interface. When parsing a request to DFSEnum, heap allocation is
calculated based on user input. By specifying invalid values, heap blocks
can be overwritten leading to remote code execution.

Samba smb_io_notify_option_type_data Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the SPOOLSS RPC
interface. When parsing a request to RFNPCNEX, heap allocation is
calculated based on user input. By specifying invalid values, heap blocks
can be overwritten leading to remote code execution.

Samba sec_io_acl Heap Overflow Vulnerability
The specific flaw exists in the parsing of RPC requests to the SRVSVC RPC
interface. When parsing a request to NetSetFileSecurity, heap allocation
is calculated based on user input. By specifying invalid values, heap
blocks can be overwritten leading to remote code execution.

Samba lsa_io_trans_names Heap Overflow Vulnerability:
The specific flaw exists in the parsing of RPC requests to the LSA RPC
interface. When parsing a request to LsarLookupSids/LsarLookupSids2, heap
allocation is calculated based on user input. By specifying invalid
values, heap blocks can be overwritten leading to remote code execution.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446>
CVE-2007-2446

Vendor Status:
Samba has issued an update to correct this vulnerability. More details can
be found at:
<http://us1.samba.org/samba/security/CVE-2007-2446.html>

http://us1.samba.org/samba/security/CVE-2007-2446.html

Disclosure Timeline:
* 2007.04.25 - Vulnerability reported to vendor
* 2007.05.02 - Digital Vaccine released to TippingPoint customers
* 2007.05.15 - Coordinated public release of advisory


ADDITIONAL INFORMATION

The information has been provided by ZDI-07-029, ZDI-07-030, ZDI-07-031,
ZDI-07-032, ZDI-07-033.
The original articles can be found at:
<http://www.zerodayinitiative.com/advisories/ZDI-07-029.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-029.html

<http://www.zerodayinitiative.com/advisories/ZDI-07-030.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-030.html

<http://www.zerodayinitiative.com/advisories/ZDI-07-031.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-031.html

<http://www.zerodayinitiative.com/advisories/ZDI-07-032.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-032.html

<http://www.zerodayinitiative.com/advisories/ZDI-07-033.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-033.html

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment