Public Vulnerability Reports

Samba nmbd Invalid Length Denial of Service Vulnerability



Samba is a software suite that provides file and print services to
SMB/CIFS clients, such as Microsoft Windows platforms. For more
information see:


Remote exploitation of an input validation error in Samba allows an
attacker to crash the Samba nmbd server. The nmbd is a server, typically
listening on UDP port 138, understands and can reply to NetBIOS over IP
name service requests, and participates in the browsing protocols that
comprise the Windows "Network Neighborhood" view. Due to an input
validation error, a malformed UDP packet can cause the nmbd server to
crash while attempting to access memory outside of what is available.
The vulnerability specifically exists in the process_logon_packet()
function when it handles a SAM_UAS_CHANGE request. Part of this packet
contains a count of the number of structures that follow. No check is
made against the length of the packet to determine whether it is
possible to have as many structures in it as it claims. If a large value
is supplied, but a small number of structures are supplied, nmbd will
reference memory outside of the packet it has been supplied. This may
cause the nmbd process to crash.

The following is a trace of exploitation, showing the server no longer
responding to an nmblookup. The nmblookup tool is used to query NetBIOS
names and map them to IP addresses.

sh-2.05b$ nmblookup -A
Looking up status of
        FEDORA1         <00> -         B <ACTIVE>
        FEDORA1         <03> -         B <ACTIVE>
        FEDORA1         <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        MYGROUP         <00> - <GROUP> B <ACTIVE>
        MYGROUP         <1b> -         B <ACTIVE>
        MYGROUP         <1c> -         B <ACTIVE>
        MYGROUP         <1e> - <GROUP> B <ACTIVE>
sh-2.05b$ ./n 138 fedora1
Samba 3.x nmbd remote DoS exploit (0day)
Attacking ..
Done, nmbd should be killed now.
sh-2.05b$ nmblookup -A
Looking up status of


This vulnerability is only exploitable if the daemon has been configured
to process domain logons. This vulnerability does not allow arbitrary
code execution. When the nmbd process dies, it no longer returns
information about the server, and the host is no longer accessible by
referencing its name.


iDEFENSE has confirmed Samba 3.0.2 is vulnerable. Analysis of the
source suggests that version 3.0.4 is also vulnerable. Samba 2.x does
not include the affected code and, therefore, is not affected by this
vulnerability. The line 'domain logons = yes' must also occur in
smb.conf for this issue to be exploitable. Note that removal of this
line from the configuration file, although it will prevent exploitation,
may also affect the Samba server's functionality.

The vendor has confirmed that Samba 3.0.x prior to and including v3.0.6
are vulnerable.


iDEFENSE is currently unaware of any effective workarounds for this
issue. Removal of the line "domain logons = yes" from the smb.conf file
for the server will prevent exploitation but may also affect the Samba
server's functionality.


The patch file for Samba 3.0.5 addressing [the] bug
(samba-3.0.5-DoS.patch) can be downloaded from:


The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0808 to these issues. This is a candidate for inclusion
in the CVE list (, which standardizes names for
security problems.


09/02/2004    Initial vendor notification
09/02/2004    iDEFENSE clients notified
09/02/2004    Vendor response
09/13/2004    Coordinated public disclosure


The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research


Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.