Formatstring vulnerability in smbclient

Description

The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.

An example is:

smb: > put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)

As is obvious, “aa%3Fbb” is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.

The attack from our point of view is rather unlikely because
the malicious filename has to be entered by the user. If smbclient
is used within scripts, an attack becomes possible.

Patch Availability

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.2.13 has been issued as a security
release to correct the defect. Samba administrators are
advised to upgrade to 3.2.13 or apply the patch as soon
as possible when.

Workaround

No workaround is available at this time.

Credits

This issue was found and reported to the Samba Team by
Reinhard Nißl <[email protected]> as
https://bugzilla.samba.org/show_bug.cgi?id=6478

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team