Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Samba Services Remote Denial Of Service Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Samba Services Remote Denial Of Service Vulnerabilities
Date: 14 Sep 2004 13:47:02 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Samba Services Remote Denial Of Service Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.samba.org/samba> Samba is an Open Source/Free Software suite 
that provides seamless file and print services to SMB/CIFS clients.

A remote attacker is able to crash the Samba nmbd service thereby creating 
a denial of service condition. The attack is possible due to an input 
validation error. In addition, the Samba smbd service is vulnerable to a 
resource exhaustion attack resulting in denial of service.

DETAILS

Vulnerable Systems:
 * Samba nmbd and smbd services version 3.0.6 and prior

Immune Systems:
 * Samba version 2.x

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807> 
CAN-2004-0807
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808> 
CAN-2004-0808

Samba nmbd service DoS
The nmbd is a server, typically listening on UDP port 138, understands and 
can reply to NetBIOS over IP name service requests and participates in the 
browsing protocols that comprise the Windows "Network Neighborhood" view. 
Due to an input validation error, a malformed UDP packet can cause the 
nmbd server to crash while attempting to access memory outside the scope 
of the application's memory image.

The vulnerability exists in the process_logon_packet() function when it 
handles a SAM_UAS_CHANGE request. Part of this packet contains a count of 
the number of structures that follow. No check is made against the length 
of the packet to determine whether it is possible to have as many 
structures in it as it claims. If a large value is supplied, but a small 
number of structures are supplied, nmbd will reference memory outside of 
the packet it has been supplied. This may cause the nmbd process to crash.

The following is a trace of exploitation, showing the server no longer 
responding to an nmblookup. The nmblookup tool is used to query NetBIOS 
names and map them to IP addresses:

sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
        FEDORA1         <00> -         B <ACTIVE>
        FEDORA1         <03> -         B <ACTIVE>
        FEDORA1         <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        MYGROUP         <00> - <GROUP> B <ACTIVE>
        MYGROUP         <1b> -         B <ACTIVE>
        MYGROUP         <1c> -         B <ACTIVE>
        MYGROUP         <1e> - <GROUP> B <ACTIVE>
 
sh-2.05b$ ./n 10.1.0.240 138 fedora1
 
Samba 3.x nmbd remote DoS exploit (0day)
 
Attacking 10.1.0.240:138 ..
Done, nmbd should be killed now.
sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
 
sh-2.05b$

This vulnerability is only exploitable if the daemon has been configured 
to process domain logons. This vulnerability does not allow arbitrary code 
execution. When the nmbd process dies, it no longer returns information 
about the server, and the host is no longer accessible by referencing its 
name.

Additionally, the following line must be present in the smb.conf file 
which controls the configuration for Samba:
'domain logons = yes'

Samba smbd service DoS
An unauthenticated remote user can cause a resource exhaustion attack by 
sending multiple malformed requests to an affected server. Each request 
spawns a new process, which enters an infinite loop. This attack takes 
very little bandwidth to cause the machine to stop responding. Each 
request from the exploit tested was only 358 bytes, and a RedHat Fedora 
Core 1 machine with 512 megabytes of RAM and 512 megabytes of swap took 
fewer than 4000 requests to render it unusable.

Patch Availability:
Although removing the 'domain logons = yes' line will solve the problem in 
nmbd, it will also affect the operation of Samba. For smbd, the only 
workaround is to either configure Samba with the "hosts allow" option, 
limiting access to trusted machines or using firewall rules.

However, a patch file for Samba 3.0.5 addressing the bugs 
(samba-3.0.5-DoS.patch) can be downloaded from  
<http://download.samba.org/samba/ftp/patches/security/> 
http://download.samba.org/samba/ftp/patches/security/

Disclosure Timeline
09/02/2004 Initial vendor notification
09/02/2004 iDEFENSE clients notified
09/02/2004 Vendor response
09/13/2004 Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDEFENSE Labs.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Samba Services Remote Denial Of Service Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] TwinFTP Server Directory Traversal Vulnerability, SecuriTeam
Next by Date:  [UNIX] vBulletin SQL Injection While Verifying Subscription Information, SecuriTeam
Previous by Thread:  [NT] TwinFTP Server Directory Traversal Vulnerability, SecuriTeam
Next by Thread:  [UNIX] vBulletin SQL Injection While Verifying Subscription Information, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]