Samba smb_io_notify_option_type_data buffer overflow (MSRPC_Spoolss_FindFirstPrinterNotify_Exec)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix):

This signature detects a SPOOLSS request for request containing a malformed array in which the descibed options array is smaller than the options sent


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2700, RealSecure Server Sensor: XPU 31.110, Proventia Network IDS: XPU 31.110, Proventia-G 1.1 and earlier: XPU 31.110, Proventia Network MFS: XPU 31.110, IBM Security Host Protection for Desktops: 2700, Proventia Network IPS: XPU 31.110, Proventia Server IPS for Linux technology: 31.110, Virtual Server Protection for Vmware: XPU 31.110, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

OpenPKG OpenPKG: CURRENT, Gentoo Linux, SuSE Linux Enterprise Server: 8, Novell UnitedLinux: 1.0, Turbolinux Turbolinux: 8 Server, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, HP HP-UX: B.11.11, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, Turbolinux Turbolinux: 10 Desktop, Sun Solaris: 9 x86, Samba Samba: 3.0.1, Samba Samba: 3.0.2, RedHat Enterprise Linux: 3 Desktop, HP HP-UX: B.11.23, SuSE SuSE SLES: 9, Turbolinux Turbolinux: 10 Server, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Apple Mac OS X: 10.3.9, Apple Mac OS X Server: 10.3.9, Novell Open Enterprise: Server, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, RedHat Linux Advanced Workstation: 2.1 Itanium, Xerox WorkCentre Pro: 232, Xerox WorkCentre Pro: 238, Xerox WorkCentre Pro: 245, Xerox WorkCentre Pro: 255, Xerox WorkCentre Pro: 265, Xerox WorkCentre Pro: 275, Xerox WorkCentre 232, Xerox WorkCentre 238, Xerox WorkCentre 245, Xerox WorkCentre 255, Xerox WorkCentre 265, Xerox WorkCentre 275, Canonical Ubuntu: 6.06 LTS, SuSE SuSE SLES: 10, MandrakeSoft Mandrake Linux: 2007, MandrakeSoft Mandrake Linux: 2007 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Canonical Ubuntu: 6.10, SuSE SuSE Linux Retail Solution: 8, SuSE SuSE SLED: 10, VMware ESX Server: 3.0.0, Novell Linux POS: 9, Turbolinux Turbolinux: FUJI, Turbolinux Turbolinux: Personal, Turbolinux Turbolinux: Home, Turbolinux Turbolinux: Multimedia, Turbolinux Turbolinux: 10 F..., Turbolinux Turbolinux Appliance Server: 2.0, Turbolinux Turbolinux: 10 Server x64 Ed, Turbolinux Turbolinux Appliance Server: 1.0 Hosting Ed, Turbolinux Turbolinux Appliance Server: 1.0 Workgroup Ed, OpenPKG OpenPKG Enterprise: E1.0-SOLID, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, MandrakeSoft Mandrake Linux: 2007.1, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, Canonical Ubuntu: 7.04, Samba Samba: 3.0.10, HP HP-UX: B.11.31, RedHat Enterprise Linux: 5 Server, Compaq Tru64: 6.6, Xerox WorkCentre: 7655, Xerox WorkCentre: 7665, Apple Mac OS X: 10.4.10, Apple Mac OS X Server: 10.4.10, RedHat Enterprise Linux: 5 Client, MandrakeSoft Mandrake Linux: 2007.1 X86_64, RedHat Enterprise Linux: 4.5.z AS, RedHat Enterprise Linux: 4.5.z ES, VMware ESX Server: 2.5.4, Samba Samba: 3.0.2a, Samba Samba: 3.0.0, Samba Samba: 3.0.11, Samba Samba: 3.0.12, Samba Samba: 3.0.14, Samba Samba: 3.0.14a, Samba Samba: 3.0.15, Samba Samba: 3.0.16, Samba Samba: 3.0.17, Samba Samba: 3.0.18, Samba Samba: 3.0.19, Samba Samba: 3.0.20, Samba Samba: 3.0.20a, Samba Samba: 3.0.20b, Samba Samba: 3.0.21, Samba Samba: 3.0.22, Samba Samba: 3.0.23, Samba Samba: 3.0.23a, Samba Samba: 3.0.23b, Samba Samba: 3.0.23c, Samba Samba: 3.0.23d, Samba Samba: 3.0.24, Samba Samba: 3.0.21a, Samba Samba: 3.0.21b, Samba Samba: 3.0.21c, Samba Samba: 3.0.13, Novell Open Enterprise Server, Samba Samba: 3.0.25 Pre1, Samba Samba: 3.0.25 Pre2, Samba Samba: 3.0.25 Rc1, Samba Samba: 3.0.25 Rc2, Samba Samba: 3.0.25 Rc3, VMware ESX Server: 2.0.2, VMware ESX Server: 2.1.3, VMware ESX Server: 2.5.3, Novell OpenSUSE: 10.2, Sun Solaris: 9 SPARC

Type

Unauthorized Access Attempt

Vulnerability description

Samba is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mb_io_notify_option_type_data function. By sending a specially-crafted RPC request to the SPOOLSS RPC interface, a remote attacker could overflow a buffer and execute arbitrary code on the system.

How to remove this vulnerability

Apply the patch for this vulnerability or upgrade to the latest version of Samba (3.0.25 or later), available from the Samba Web site. See References.

For VMware ESX 3.0.1:
Apply Patch Bundle ESX-1001213, available from the VMware Web site. See References.

For VMware ESX 3.0.0:
Apply Patch Bundle ESX-1001204, available from the VMware Web site. See References.

For VMware ESX 2.5.4:
Upgrade to the latest version of VMware ESX (patch 10 Build 53326 or later), available from the VMware Web site. See References.

For VMware ESX 2.5.3:
Upgrade to the latest version of VMware ESX (patch 13 Build 52488 or later), available from the VMware Web site. See References.

For VMware ESX 2.1.3:
Upgrade to the latest version of VMware ESX (patch 8 Build 53228 or later), available from the VMware Web site. See References.

For VMware ESX 2.0.2:
Upgrade to the latest version of VMware ESX (patch 8 Build 52650 or later), available from the VMware Web site. See References.

For Mac OS:
Apply Apple Security Update 2007-007, available from the Apple Web site. See References.

For Hewlett-Packard (Samba):
Refer to HPSBTU02218 SSRT071424 for patch, upgrade, or suggested workaround information. See References.

For Hewlett-Packard (Samba):
Refer to HPSBUX02218 SSRT071424 for patch, upgrade, or suggested workaround information. See References.

For Debian GNU/Linux (samba):
Refer to DSA-1291-1 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux (samba):
Refer to USN-460-1 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux (samba):
Refer to MDKSA-2007:104 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2007:0354-4 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (samba):
Refer to GLSA 200705-15 for patch, upgrade, or suggested workaround information. See References.

For Solaris (samba):
Refer to Sun Alert ID: 102964 for patch, upgrade, or suggested workaround information. See References.

For Tru64 UNIX:
Refer to BugTraq Mailing List, Tue Jul 10 2007 - 07:53:45 CDT for patch, upgrade, or suggested workaround information. See References.

For Turbolinux (samba):
Refer to TLSA-2007-35 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

ZDI-07-031
Samba smb_io_notify_option_type_data Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-031.html

BugTraq Mailing List, Sun May 13 2007 - 17:48:56 CDT
[SAMBA-SECURITY] CVE-2007-2446: Multiple Heap Overflows Allow Remote Code Execution
http://archives.neohapsis.com/archives/bugtraq/2007-05/0200.html

Samba Security Web site
Samba - Security Updates and Information
http://www.samba.org/samba/history/security.html

DSA-1291-1
samba -- several vulnerabilities
http://www.us.debian.org/security/2007/dsa-1291

USN-460-1
samba vulnerabilities
http://www.ubuntu.com/usn/usn-460-1

MDKSA-2007:104
Updated samba packages fix multiple vulnerabilities
http://www.mandriva.com/security/advisories?name=MDKSA-2007:104

RHSA-2007:0354
samba security update
https://rhn.redhat.com/errata/RHSA-2007-0354.html

GLSA 200705-15
Samba: Multiple vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200705-15.xml

Sun Alert ID: 102964
Multiple Security Vulnerabilities in samba(7) May Allow Remote Code Execution, Elevation of Privileges, or Remote Shell Command Execution
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1

HP Security Bulletin HPSBTU02218 SSRT071424
HP Tru64 UNIX Internet Express running Samba, Remote Arbitrary Code Execution or Local Unauthorized Privilege Elevation
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980

HP Security Bulletin HPSBUX02218 SSRT071424
HP-UX running CIFS Server (Samba), Remote Arbitrary Code Execution
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768

BugTraq Mailing List, Tue Jul 10 2007 - 07:53:45 CDT
[security bulletin] HPSBTU02233 SSRT071424 rev.1 - HP Tru64 UNIX Internet Express running Samba, Remote Arbitrary Code Execution or Local Unauthorized Privilege Elevation
http://archives.neohapsis.com/archives/bugtraq/2007-07/0070.html

TLSA-2007-35
samba Two vulnerabilities discovered in samba
http://www.turbolinux.com:80/security/2007/TLSA-2007-35.txt

Apple Security Update 2007-007
About Security Update 2007-007
http://docs.info.apple.com/article.html?artnum=306172

Apple Web site
Apple security updates
http://docs.info.apple.com/article.html?artnum=61798

Full-Disclosure Mailing List, Wed Sep 19 2007 - 21:15:23 CDT
VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0356.html

VMware, Inc. Web site
Download Patch ESX-1001213 for VMware ESX Server 3.0.1
http://www.vmware.com/support/vi3/doc/esx-1001213-patch.html

VMware, Inc. Web site
Download Patch ESX-1001204 for VMware ESX Server 3.0.0
http://www.vmware.com/support/vi3/doc/esx-1001204-patch.html

VMware, Inc. Web site
VMware ESX Server Download Archive
http://www.vmware.com/download/

VMware Security-announce Mailing list, Wed Sep 19 19:15:23 PDT 2007
VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
http://lists.vmware.com/pipermail/security-announce/2007/000001.html

OpenPKG-SA-2007.012
samba
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html

XEROX Web site
XEROX SECURITY BULLETIN XRX08-001
http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdf

ISS X-Force
Samba smb_io_notify_option_type_data buffer overflow
http://www.iss.net/security_center/static/34312.php

CVE
CVE-2007-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446