Samba Remote Code Execution Buffer Overflow Vulnerabilities

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: May 29, 2007
Notification Version: 1.1
   
Name: Samba Remote Code Execution Buffer Overflow Vulnerabilities
Public disclosure/
In the wild date:		 May 13, 2007 (vuln disclosure)
CVE: CVE-2007-2444 and CVE-2007-2446
Description:

Samba is vulnerable to multiple heap-based buffer overflows that could allow remote code execution on the target system.

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)		 27.020
Proventia Server (Windows)
Proventia Desktop		 x.x.x.2030
RealSecure Desktop 7.0 EQI
BlackICE PC Protection 3.6 CQI
Propagation Techniques ISS Protection Available
remote exploit MSRPC_LSA_AddPriv_Samba_Bo
MSRPC_SPOOLSS_NotifyOp_Samba_Bo
MSRPC_SRVSVC_SetFileSec_Samba_Bo
MSRPC_LSA_LookupSids_Samba_Bo		 May 30, 2007

Detailed Description
Business Impact: This exploit allows an attacker to obtain complete control over the target system.
CVSS: Base Score: 7
  Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Normal 
Adjusted Temporal Score: 5.2
  Exploitability: Unproven
Remediation Level: Official Fix
Report Confidence: Confirmed 
Affected Products: For a full list of affected versions, see XFDB references below.
Technical Description: Samba is vulnerable to several critical vulnerabilities.  The most critical of these issues are heap-based buffer overflows, caused by improper bounds checking by the following functions:
  • lsa_io_privilege_set (LSA RPC interface)
  • mb_io_notify_option_type_data (SPOOLSS RPC interface)
  • lsa_io_trans_names (LSA RPC interface)

By sending a specially-crafted RPC request to one of the affected interfaces, a remote attacker could overflow a buffer and execute arbitrary code on the system.

A fourth issue (34315, CVE-2007-2444) is a local privledge escalation that could allow a local attacker to gain elevated privileges on the system, caused by a logic error in the smbd internal stack.

Remediation:

Apply the patch for this vulnerability or upgrade to the latest version of Samba (3.0.25 or later), available from the Samba Web site. See References.

References
XFDB http://xforce.iss.net/xforce/xfdb/34309
http://xforce.iss.net/xforce/xfdb/34312
http://xforce.iss.net/xforce/xfdb/34315
http://xforce.iss.net/xforce/xfdb/34316
Samba http://www.samba.org/samba/history/security.html

Revision History
1.0 Initial publication.
1.1 Revised description and added CVE.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.