Bug 396401 - (CVE-2007-6015) CVE-2007-6015 samba: send_mailslot() buffer overflow
CVE-2007-6015 samba: send_mailslot() buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20071122,pu...
: Security
Depends On: 407321 407331 407341 407351 407361 407371 407381 433622
Blocks: 418311
  Show dependency treegraph
 
Reported: 2007-11-23 03:38 EST by Tomas Hoger
Modified: 2010-02-23 23:40 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-20 06:48:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-11-23 03:38:18 EST
Alin Rad Pop of Secunia Research discovered and reported following security
vulnerability in Samba:


Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"send_mailslot()" function. This can be exploited to cause a stack-based
buffer overflow with zero bytes via a specially crafted "SAMLOGON"
domain logon packet containing a username string placed at an odd offset
followed by an overly long GETDC string.

Successful exploitation allows execution of arbitrary code, but requires
that the "domain logon" option is enabled.

The vulnerability is confirmed in version 3.0.27a. Other versions may
also be affected.

Vulnerability Details:
----------------------

The buffer overflow is triggered by the call to "set_message()" in
nmbd/nmbd_packets.c at line 1895. The "set_message()" function will call
a "memset()" to zero on "dgram->data" + 35 with a length bigger than the
available 576-35 bytes for an overly long total length for the SAMLOGON
GETDC, username, workgroup, and local hostname.

The vulnerability would at first glance be only triggerable in certain
unusual configurations with an overly long local workgroup or hostname
due to the limitations in size of the NetBIOS Datagram packet (576
bytes). However if an empty (two zero bytes) Unicode username is placed
at an odd offset within the SAMLOGON request, the "pull_ucs2_pstring()"
function called at line 365 in nmbd/nmbd_processlogon.c will convert the
whole GETDC string following the username into ascuser, allowing the
buffer overflow to take place in standard configurations.

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27760 and CVE
identifier CVE-2007-6015.

Acknowledgements:

Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Comment 7 Josh Bressers 2007-12-10 10:52:16 EST
Lifting embargo:
http://samba.org/samba/security/CVE-2007-6015.html

Note You need to log in before you can comment on or make changes to this bug.