Samba lsa_io_trans_names buffer overflow

2007-12-24T00:00:00
ID SAINT:4F039253BDBE772BA75F4E7C8B562B29
Type saint
Reporter SAINT Corporation
Modified 2007-12-24T00:00:00

Description

Added: 12/24/2007
CVE: CVE-2007-2446
BID: 24195
OSVDB: 34699

Background

Samba is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems.

Problem

A vulnerability in the LSA RPC interface allows a remote attacker to execute arbitrary commands by sending a specially crafted **LsarLookupSids/LsarLookupSids2** request, which causes a buffer overflow in the **lsa_io_trans_names** function.

Resolution

Upgrade to Samba 3.0.25 or higher, apply the patch for Samba 3.0.24, or apply the patch for Solaris.

References

<http://www.zerodayinitiative.com/advisories/ZDI-07-033.html>
<http://us1.samba.org/samba/security/CVE-2007-2446.html>

Limitations

Exploit works on Samba 3.0.24 on Sun SPARC Solaris 9 and Samba 3.0.22 on SuSE Linux Enterprise Server 10.

Since the exploit uses a brute force method, extra time may be required before the exploit succeeds.

The Crypt::DES, Digest::MD4, and Digest::MD5 packages are required for this exploit. These packages are available from <http://cpan.org/modules/by-module/>.

Platforms

SunOS / Solaris
Linux