Samba SPOOLSS RPC Interface RFNPCNEX Request Remote Overflow

2007-05-14T05:33:52
ID OSVDB:34732
Type osvdb
Reporter OSVDB
Modified 2007-05-14T05:33:52

Description

Vulnerability Description

A remote overflow exists in Samba. The application fails to properly verify user-suplied input when parsing RPC requests to the SPOOLSS RPC interface resulting in a heap-based overflow. With a specially crafted request to RFNPCNEX, an attacker can cause heap space to be overwritten and possible trigger the execution of arbitrary code resulting in a loss of integrity or availability.

Solution Description

Upgrade to version 3.0.25 or higher, as it has been reported to fix this vulnerability. In addition, Samba has released a patch for some older versions.

Short Description

A remote overflow exists in Samba. The application fails to properly verify user-suplied input when parsing RPC requests to the SPOOLSS RPC interface resulting in a heap-based overflow. With a specially crafted request to RFNPCNEX, an attacker can cause heap space to be overwritten and possible trigger the execution of arbitrary code resulting in a loss of integrity or availability.

References:

Vendor Specific News/Changelog Entry: https://issues.rpath.com/browse/RPL-1366 Vendor Specific News/Changelog Entry: http://www.samba.org/samba/security/CVE-2007-2446.html Vendor Specific Advisory URL Secunia Advisory ID:25251 Secunia Advisory ID:25256 Secunia Advisory ID:25246 Secunia Advisory ID:26235 Secunia Advisory ID:25232 Secunia Advisory ID:25270 Secunia Advisory ID:25259 Secunia Advisory ID:25772 Secunia Advisory ID:25675 Secunia Advisory ID:25391 Secunia Advisory ID:26909 Secunia Advisory ID:27706 Secunia Advisory ID:25241 Secunia Advisory ID:25257 Secunia Advisory ID:25255 Secunia Advisory ID:25289 Secunia Advisory ID:25567 Related OSVDB ID: 34699 Related OSVDB ID: 34731 Related OSVDB ID: 34700 Related OSVDB ID: 34698 Related OSVDB ID: 34733 RedHat RHSA: RHSA-2007:0354 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20070502-01-P.asc Other Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00047.html Other Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906 Other Advisory URL: http://www.ubuntu.com/usn/usn-460-1 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200711-23.xml Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-07-031.html Other Advisory URL: http://lists.rpath.com/pipermail/security-announce/2007-May/000187.html Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:104 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200705-15.xml Other Advisory URL: http://www.trustix.org/errata/2007/0017/ Other Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1 Other Advisory URL: http://docs.info.apple.com/article.html?artnum=306172 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0059.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0248.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0200.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0260.html Keyword: HPSBTU02218,SSRT071424 FrSIRT Advisory: ADV-2007-1805 CVE-2007-2446 CERT VU: 773720 Bugtraq ID: 23973