SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (File Transfer/Sharing)  >   Samba Vendors:   Samba.org
Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010753
SecurityTracker URL:  http://securitytracker.com/id/1010753
CVE Reference:   CAN-2004-0600, CAN-2004-0686   (Links to External Site)
Date:  Jul 22 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.2.10 and also 3.0.0 - 3.0.4
Description:   Two buffer overflow vulnerabilities were reported in Samba, affecting the Samba Web Administration Tool and systems using the 'hash' mangling method. A remote user may be able to execute arbitrary code on the target system.

Evgeny Demidov reported that there is a buffer overflow in the Samba Web Administration Tool (SWAT) in versions 3.0.2 - 3.0.4. A remote user can supply a specially crafted HTTP Basic Authentication header containing an invalid Base64 character to trigger the overflow and execute arbitrary code on the target system [CVE: CAN-2004-0600].

The vendor reported that the affected code is also used to decode LDAP sambaMungedDial attribute values on systems that use the ldapsam passdb backend. Although the vendor believes that this is not exploitable, LDAP users are encouraged to verify that the DIT only allows write access to sambaSamAccount attributes by a sufficiently authorized user.

The vendor was reportedly notified on July 14, 2004.

The vendor discovered a separate buffer overflow in the code that processes the 'mangling method = hash' option from the 'smb.conf' file [CVE: CAN-2004-0686]. Samba versions 3.0.0 and later are affected. The default setting of 'mangling method = hash2' is not vulnerable.

Impact:   A remote user may be able to execute arbitrary code on the target system.
Solution:   The vendor has released fixed versions (2.2.10 and 3.0.5), available at:

http://www.samba.org/

As a workaround, the vendor indicates that you can disable the SWAT tools and can use the 'mangling method = hash2' option in 'smb.conf'.

Vendor URL:  www.samba.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 22 2004 (Red Hat Issues Fix for RH Enterprise Linux) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Jul 23 2004 (SuSE Issues Fix) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
SuSE has released a fix.
Jul 23 2004 (Mandrake Issues Fix) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Mandrake has issued a fix.
Jul 26 2004 (Slackware Issues Fix) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Slackware has released a fix.
Jul 26 2004 (Red Hat Issues Fix for RHEL) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1
Jul 27 2004 (HP Issues Workaround for HP-UX CIFS Server) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
HP has issued a workaround guidance for HP-UX CIFS Server.
Jul 31 2004 (Conectiva Issues Fix) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.
Sep 4 2004 (Fedora Issues Fix for FC1) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Fedora has released a fix for Fedora Core 1.
Oct 15 2004 (Fedora Issues Fix for RH Linux) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Fedora has released a fix for Red Hat Linux 7.3 and 9.
Jan 10 2005 (Sun Issues Fix) Samba Buffer Overflows in Web Administration Tool and in 'hash' Mangling Method May Let Remote Users Execute Arbitrary Code
Sun has issued a fix.



 Source Message Contents

Date:  Thu, 22 Jul 2004 19:05:55 +0400
Subject:  [Full-Disclosure] Samba 3.x swat preauthentication buffer overflow


Name:          Samba 3.x swat preauthentication buffer 
overflow
Date:          22 Jule 2004
CVE candidate: CAN-2004-0600
Author:        Evgeny Demidov

Description:

There exists a remote preauthentication buffer overflow in 
Samba 3.x swat administration service.
All version of Samba 3.0.2-3.0.4 are vulnerable to our 
knowledge.

Fix:

Samba 3.0.5 which fixes this problem is available: 
http://www.samba.org/samba/whatsnew/samba-3.0.5.html

History:

28 April 2004 - vulnerability has been discovered during 
Samba source code audit by Evgeny Demidov
29 April 2004 - vulnerability details has been made 
available to VulnDisco clients
14 Jule  2004 - vulnerability has been reported to Samba 
Team
22 Jule  2004 - public release of the advisory

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC