Tutorial - Samba vulnerabilities

Samba vulnerabilities

Updated 4/8/03
CVE 2001-1162
CAN 2002-1318
CAN 2003-0085
CAN 2003-0201

Impact

Remote attackers could potentially execute arbitrary commands on systems running Samba versions 2.0 to 2.2.8. On systems running older Samba versions, in some configurations, the Samba server could allow a local user to append to arbitrary files, and a remote attacker to avoid logging of failed connection attempts, which could allow brute force attacks. In other configurations, it could be possible for any attacker, local or remote, to append to arbitrary files. This could easily be leveraged to gain full root access to the system.

Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities.

Background

Server Message Block (SMB) is a network protocol native to Windows systems which allows sharing of files and printers across a network. Samba is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems.

Every computer which uses the SMB protocol, is assigned a netbios name. This name is used to identify the computer on the network for the purposes of resolving SMB requests.

The Problems

Buffer Overflow in call_trans2open

4/8/03
CAN 2003-0201
There is a buffer overflow condition in the call_trans2open function which could allow an anonymous remote attacker to execute arbitrary code with root privileges by sending data in excess of 1024 bytes. All versions of Samba up to and including Samba 2.2.8 are affected by this vulnerability.

Buffer Overflow in Packet Fragment Re-Assembly

3/18/03
CAN 2003-0085
A buffer overflow in the SMB/CIFS packet fragment re-assembly code could allow a remote attacker to overwrite arbitrary areas of memory, thus gaining the ability to execute commands with root privileges. Samba 2.0 through 2.2.7a are affected by this vulnerability.

Encrypted Password Change Buffer Overflow

11/22/02
CAN 2002-1318
A buffer overflow condition in the processing of encrypted password change requests could potentially allow a remote attacker to execute arbitrary commands on the system. In order to exploit this vulnerability, a client would send an encrypted password, which, when decrypted with the old hashed password, could overflow a buffer on the stack. Samba 2.2.2 through 2.2.6 are affected by this vulnerability. Although there is no known exploit for this vulnerability, it is still a serious problem which should be addressed.

Macro expansion flaw in log file name

7/3/01
CVE 2001-1162
A vulnerability affects older versions of Samba when configured to log error messages in a file whose name is determined by the netbios name of the client. If this is the case, insufficient checking of the client's netbios name by Samba could allow an attacker to change the path of the log file. In the worst-case scenario, this could lead to remote write access to arbitrary files, which could result in remote root access. In other scenarios, this could lead to privilege elevation by a local attacker, or the opportunity for a remote attacker to perform brute-force password guessing attacks without being logged.

Samba versions prior to 2.0.10 are affected by this vulnerability if the log file name includes the netbios name (represented by %m) in the configuration file. The Samba configuration file is usually located in /etc/smb.conf or /etc/samba/smb.conf. For example, if a Samba server prior to version 2.0.10 is installed, and the /etc/smb.conf file includes the following line:

log file = /var/log/samba/%m.log

then the server is vulnerable.

Resolution

Upgrade to Samba 2.2.8a or higher, or apply a fix from your operating system vendor.

Where can I read more about this?

For more information on the call_trans2open buffer overflow, see CIAC Bulletin N-073.

For more information on the SMB/CIFS packet re-assembly buffer overflow, see the Samba 2.2.8 Release Notes and CIAC Bulletin N-055.

For more information on the encrypted password buffer overflow, see the Samba 2.2.7 Release Notes and CIAC Bulletin N-019.

For more information on the logging vulnerability, see the announcement from Samba and the posting to Bugtraq.