// back

Samba SMBClient Remote Heap Overflow Vulnerability

09.29.03

BACKGROUND

SMBClient is a client that can ´talk´ to an SMB/CIFS server. It offers an interface similar to that of the FTP Program and provides functionality such as file browsing and retrieval.

DESCRIPTION

 remotely exploitable heap overflow exists in The Samba Team's SMBClient, allowing an attacker to execute arbitrary code machine running a vulnerable client and connecting to a malicious server.

Clients establish NetBIOS sessions via communication through TCP port 139. The vulnerability is exploited through this channel and occurs post session negotiation. The following is a basic overview of a typical control channel negotiation:

Client -> NBT Session Request -> Server
Client <- NBT Session Granted <- Server
Client -> SMB SMBnegprot Request -> Server
Client <- SMB SMBnegprot Reply <- Server
Client -> SMB SMBsesssetupX Request -> Server
** Client <- SMB SMBsesssetupX Reply <- Server

When responding with an SMBsesssetupX reply (marked with **) containing a large buffer greater then 60,000 bytes, the server is able to write a large amount of data to the client machines heap. Due to a lack of bounds checking, it is possible to overwrite memory management control information in the next chunk of memory stored ahead of the overflowed buffer on the heap. By placing carefully constructed fake memory chunks at the end of the buffer, it is possible to trick the memory allocator into executing arbitrary code when a call to free() is made.

ANALYSIS

Successful exploitation of the vulnerability described above allows remote attackers to execute arbitrary code under the privileges of the user that instantiated the SMBClient application. Exploitation requires that an attacker either foerce or coerce a target client into connecting to a malicious server.

iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.

DETECTION

iDEFENSE has confirmed that SMBClient packaged with Samba 2.2.4 and 2.2.8a is vulnerable. Version 2.0.5a has been confirmed as not vulnerable.

VENDOR RESPONSE

Upgrade to the latest version of Samba, Samba-3.0.0 RC4, which contains smbclient fixes for these issues at http://www.samba.org.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned to this issue.

DISCLOSURE TIMELINE

06/23/2003   Exploit acquired by iDEFENSE
08/28/2003   Initial vendor notification
09/18/2003   iDEFENSE Clients notified
09/29/2003   Public Disclosure

CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.