<<< Date Index >>>     <<< Thread Index >>>

Advisory 13/2004: Samba 3.x QFILEPATHINFO unicode filename buffer overflow



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: Samba 3.x QFILEPATHINFO unicode filename buffer overflow
 Release Date: 2004/11/15
Last Modified: 2004/11/15
       Author: Stefan Esser [s.esser@xxxxxxxxxxxx]

  Application: Samba 3 <= 3.0.7
     Severity: A buffer overflow inside the QFILEPATHINFO request 
               handler allows remote code execution
         Risk: Critical
Vendor Status: Vendor has released a bugfixed version.
    Reference: http://security.e-matters.de/advisories/132004.html


Overview:

   Samba is an Open Source/Free Software suite that provides seamless 
   file and print services to SMB/CIFS clients. Samba is freely 
   available under the GNU General Public License.
   
   During an audit of the Samba 3.x codebase a unicode filename buffer
   overflow within the handling of TRANSACT2_QFILEPATHINFO replies
   was discovered that allows remote execution of arbitrary code.
   
   Exploiting this vulnerability is possible through every Samba user
   if a special crafted pathname exists. If such a path does not exist
   the attacker needs write access to one of the network shares.
   

Details:
   
   The SMB specification allows clients to specify a maximum amount
   of data bytes that the server is allowed to return in a single 
   reply. 

   When Samba 3.x receives a TRANSACT2_QFILEPATHINFO request with
   this field set to f.e. zero this can lead to an overflow of a
   unicode filename when constructing the reply.
   
   This is caused by the fact that Samba <= 3.0.7 reads this field,
   allocates 1024 bytes more than wanted and then writes the reply
   into this buffer without any kind of size check. While this
   behaviour was sufficient enough to protect against overflows in
   Samba 2.x the correction of the replies for the info_levels
   SMB_QUERY_FILE_NAME_INFO and SMB_QUERY_FILE_ALL_INFO to unicode
   full pathname strings allows overflowing the reserved buffer
   size.
   
   By using unicode chars within filenames this allows to overwrite
   malloc()/free() control structures and therefore allows remote
   code execution.
  

Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability
   to the public.
   

Disclosure Timeline:

   24. September 2004 - Made initial contact with the Samba Team
   25. September 2004 - Samba Team has fixed the bug in CVS
   26. September 2004 - Disclosure was delayed on our side because 
                        of another issue that was suppossed to get
                        disclosed at the same time
   08. November  2004 - Samba Team released 3.0.8 without noticing
                        us because they were wrongly convinced
                        that the bug is not exploitable
   15. November  2004 - Public Disclosure

   
CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-0882 to this issue.


Recommendation:

   Unlike several other Samba vulnerabilities within the last months
   this vulnerability affects default installations of Samba 3.x and
   therefore any user of Samba 3 <= 3.0.7 should upgrade as soon as
   possible.
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBmNp7b31XLTAExLwRAl8hAKCQj8d3leJXoAUXwDDTSyWXFpOuYgCdGmCk
n1enS7HnoIE5OZMcvr+3ol8=
=xnI7
-----END PGP SIGNATURE-----