Samba nmbd Invalid Length Denial of Service Vulnerability iDEFENSE Security Advisory 09.13.04a www.idefense.com/application/poi/display?id=138&type=vulnerabilities September 13, 2004 I. BACKGROUND Samba is a software suite that provides file and print services to SMB/CIFS clients, such as Microsoft Windows platforms. For more information see: http://www.samba.org/ II. DESCRIPTION Remote exploitation of an input validation error in Samba allows an attacker to crash the Samba nmbd server. The nmbd is a server, typically listening on UDP port 138, understands and can reply to NetBIOS over IP name service requests, and participates in the browsing protocols that comprise the Windows "Network Neighborhood" view. Due to an input validation error, a malformed UDP packet can cause the nmbd server to crash while attempting to access memory outside of what is available. The vulnerability specifically exists in the process_logon_packet() function when it handles a SAM_UAS_CHANGE request. Part of this packet contains a count of the number of structures that follow. No check is made against the length of the packet to determine whether it is possible to have as many structures in it as it claims. If a large value is supplied, but a small number of structures are supplied, nmbd will reference memory outside of the packet it has been supplied. This may cause the nmbd process to crash. The following is a trace of exploitation, showing the server no longer responding to an nmblookup. The nmblookup tool is used to query NetBIOS names and map them to IP addresses. sh-2.05b$ nmblookup -A 10.1.0.240 Looking up status of 10.1.0.240 FEDORA1 <00> - B FEDORA1 <03> - B FEDORA1 <20> - B ..__MSBROWSE__. <01> - B MYGROUP <00> - B MYGROUP <1b> - B MYGROUP <1c> - B MYGROUP <1e> - B sh-2.05b$ ./n 10.1.0.240 138 fedora1 Samba 3.x nmbd remote DoS exploit (0day) Attacking 10.1.0.240:138 .. Done, nmbd should be killed now. sh-2.05b$ nmblookup -A 10.1.0.240 Looking up status of 10.1.0.240 sh-2.05b$ III. ANALYSIS This vulnerability is only exploitable if the daemon has been configured to process domain logons. This vulnerability does not allow arbitrary code execution. When the nmbd process dies, it no longer returns information about the server, and the host is no longer accessible by referencing its name. IV. DETECTION iDEFENSE has confirmed Samba 3.0.2 is vulnerable. Analysis of the source suggests that version 3.0.4 is also vulnerable. Samba 2.x does not include the affected code and, therefore, is not affected by this vulnerability. The line 'domain logons = yes' must also occur in smb.conf for this issue to be exploitable. Note that removal of this line from the configuration file, although it will prevent exploitation, may also affect the Samba server's functionality. The vendor has confirmed that Samba 3.0.x prior to and including v3.0.6 are vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this issue. Removal of the line "domain logons = yes" from the smb.conf file for the server will prevent exploitation but may also affect the Samba server's functionality. VI. VENDOR RESPONSE The patch file for Samba 3.0.5 addressing [the] bug (samba-3.0.5-DoS.patch) can be downloaded from: http://download.samba.org/samba/ftp/patches/security/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0808 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/02/2004 Initial vendor notification 09/02/2004 iDEFENSE clients notified 09/02/2004 Vendor response 09/13/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html