Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1010753|
SecurityTracker URL: http://securitytracker.com/id/1010753
(Links to External Site)
Date: Jul 22 2004
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 2.2.10 and also 3.0.0 - 3.0.4|
Two buffer overflow vulnerabilities were reported in Samba, affecting the Samba Web Administration Tool and systems using the 'hash' mangling method. A remote user may be able to execute arbitrary code on the target system.|
Evgeny Demidov reported that there is a buffer overflow in the Samba Web Administration Tool (SWAT) in versions 3.0.2 - 3.0.4. A remote user can supply a specially crafted HTTP Basic Authentication header containing an invalid Base64 character to trigger the overflow and execute arbitrary code on the target system [CVE: CAN-2004-0600].
The vendor reported that the affected code is also used to decode LDAP sambaMungedDial attribute values on systems that use the ldapsam passdb backend. Although the vendor believes that this is not exploitable, LDAP users are encouraged to verify that the DIT only allows write access to sambaSamAccount attributes by a sufficiently authorized user.
The vendor was reportedly notified on July 14, 2004.
The vendor discovered a separate buffer overflow in the code that processes the 'mangling method = hash' option from the 'smb.conf' file [CVE: CAN-2004-0686]. Samba versions 3.0.0 and later are affected. The default setting of 'mangling method = hash2' is not vulnerable.
A remote user may be able to execute arbitrary code on the target system.|
The vendor has released fixed versions (2.2.10 and 3.0.5), available at:|
As a workaround, the vendor indicates that you can disable the SWAT tools and can use the 'mangling method = hash2' option in 'smb.conf'.
Vendor URL: www.samba.org/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 22 Jul 2004 19:05:55 +0400|
Subject: [Full-Disclosure] Samba 3.x swat preauthentication buffer overflow
Name: Samba 3.x swat preauthentication buffer
Date: 22 Jule 2004
CVE candidate: CAN-2004-0600
Author: Evgeny Demidov
There exists a remote preauthentication buffer overflow in
Samba 3.x swat administration service.
All version of Samba 3.0.2-3.0.4 are vulnerable to our
Samba 3.0.5 which fixes this problem is available:
28 April 2004 - vulnerability has been discovered during
Samba source code audit by Evgeny Demidov
29 April 2004 - vulnerability details has been made
available to VulnDisco clients
14 Jule 2004 - vulnerability has been reported to Samba
22 Jule 2004 - public release of the advisory
Full-Disclosure - We believe in it.