Alin Rad Pop of Secunia Research discovered and reported following security vulnerability in Samba: Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the "domain logon" option is enabled. The vulnerability is confirmed in version 3.0.27a. Other versions may also be affected. Vulnerability Details: ---------------------- The buffer overflow is triggered by the call to "set_message()" in nmbd/nmbd_packets.c at line 1895. The "set_message()" function will call a "memset()" to zero on "dgram->data" + 35 with a length bigger than the available 576-35 bytes for an overly long total length for the SAMLOGON GETDC, username, workgroup, and local hostname. The vulnerability would at first glance be only triggerable in certain unusual configurations with an overly long local workgroup or hostname due to the limitations in size of the NetBIOS Datagram packet (576 bytes). However if an empty (two zero bytes) Unicode username is placed at an odd offset within the SAMLOGON request, the "pull_ucs2_pstring()" function called at line 365 in nmbd/nmbd_processlogon.c will convert the whole GETDC string following the username into ascuser, allowing the buffer overflow to take place in standard configurations. Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA27760 and CVE identifier CVE-2007-6015. Acknowledgements: Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Lifting embargo: http://samba.org/samba/security/CVE-2007-6015.html
Fixed in affected products: Red Hat Enterprise Linux http://rhn.redhat.com/errata/RHSA-2007-1114.html http://rhn.redhat.com/errata/RHSA-2007-1117.html Fedora https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4269 https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4275