// back

Samba nmbd Invalid Length Denial of Service Vulnerability

09.13.04

BACKGROUND

Samba is a software suite that provides file and print services to
SMB/CIFS clients, such as Microsoft Windows platforms. For more
information see:

http://www.samba.org/

DESCRIPTION

Remote exploitation of an input validation error in Samba allows an
attacker to crash the Samba nmbd server. The nmbd is a server, typically
listening on UDP port 138, understands and can reply to NetBIOS over IP
name service requests, and participates in the browsing protocols that
comprise the Windows "Network Neighborhood" view. Due to an input
validation error, a malformed UDP packet can cause the nmbd server to
crash while attempting to access memory outside of what is available.
The vulnerability specifically exists in the process_logon_packet()
function when it handles a SAM_UAS_CHANGE request. Part of this packet
contains a count of the number of structures that follow. No check is
made against the length of the packet to determine whether it is
possible to have as many structures in it as it claims. If a large value
is supplied, but a small number of structures are supplied, nmbd will
reference memory outside of the packet it has been supplied. This may
cause the nmbd process to crash.

The following is a trace of exploitation, showing the server no longer
responding to an nmblookup. The nmblookup tool is used to query NetBIOS
names and map them to IP addresses.

sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
        FEDORA1         <00> -         B <ACTIVE>
        FEDORA1         <03> -         B <ACTIVE>
        FEDORA1         <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        MYGROUP         <00> - <GROUP> B <ACTIVE>
        MYGROUP         <1b> -         B <ACTIVE>
        MYGROUP         <1c> -         B <ACTIVE>
        MYGROUP         <1e> - <GROUP> B <ACTIVE>
 
sh-2.05b$ ./n 10.1.0.240 138 fedora1
 
Samba 3.x nmbd remote DoS exploit (0day)
 
Attacking 10.1.0.240:138 ..
Done, nmbd should be killed now.
sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
 
sh-2.05b$

ANALYSIS

This vulnerability is only exploitable if the daemon has been configured
to process domain logons. This vulnerability does not allow arbitrary
code execution. When the nmbd process dies, it no longer returns
information about the server, and the host is no longer accessible by
referencing its name.

DETECTION

iDEFENSE has confirmed Samba 3.0.2 is vulnerable. Analysis of the
source suggests that version 3.0.4 is also vulnerable. Samba 2.x does
not include the affected code and, therefore, is not affected by this
vulnerability. The line 'domain logons = yes' must also occur in
smb.conf for this issue to be exploitable. Note that removal of this
line from the configuration file, although it will prevent exploitation,
may also affect the Samba server's functionality.

The vendor has confirmed that Samba 3.0.x prior to and including v3.0.6
are vulnerable.

WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this
issue. Removal of the line "domain logons = yes" from the smb.conf file
for the server will prevent exploitation but may also affect the Samba
server's functionality.

VENDOR RESPONSE

The patch file for Samba 3.0.5 addressing [the] bug
(samba-3.0.5-DoS.patch) can be downloaded from:

   http://download.samba.org/samba/ftp/patches/security/

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0808 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

09/02/2004    Initial vendor notification
09/02/2004    iDEFENSE clients notified
09/02/2004    Vendor response
09/13/2004    Coordinated public disclosure

CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.