Lucene search

K
certCERTVU:438395
HistoryFeb 20, 2008 - 12:00 a.m.

Samba "send_mailslot()" function buffer overflow

2008-02-2000:00:00
www.kb.cert.org
31
samba
send_mailslot()
buffer overflow
remote attacker
arbitrary code
vulnerability
samba version 3.0.28
stack-based
samlogon packet
domain logon
workaround
cve-2007-6015

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

8

Confidence

High

EPSS

0.972

Percentile

99.9%

Overview

The Samba β€œsend_mailslot()” function contains a stack-based buffer overflow vulnerability which could be exploited by a remote, unauthenticated attacker to execute arbitrary code.

Description

Samba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). A stack-based buffer overflow exists in the send_mailslot() function due to the function’s improper processing of SAMLOGON packets. By sending a SAMLOGON domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string, an attacker could then overflow the stack to exploit the vulnerability.

Impact

By sending a specially crafted SAMLOGON domain logon packet, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code.

Solution

This vulnerability is addressed in Samba version 3.0.28. Patches are also available to address this vulnerability in Samba version 3.0.27a. Samba is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates.

The vulnerability requires that the β€œdomain logons” be enabled. Therefore, an effective workaround to this vulnerability would be to disable the β€œdomain logons” option.

Vendor Information

438395

Filter by status: All Affected Not Affected Unknown

Filter by content: __Additional information available

__Sort by: Status Alphabetical

Expand all

Javascript is disabled. Clickhere to view vendors.

Samba __ Affected

Updated: February 14, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability is addressed in Samba version 3.0.28. Patches are also available to address this vulnerability in Samba version 3.0.27a.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Alin Rad Pop of Secunia Research.

This document was written by Joseph Pruszynski.

Other Information

CVE IDs: CVE-2007-6015
Severity Metric: 13.61 Date Public:

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

8

Confidence

High

EPSS

0.972

Percentile

99.9%