Hi.
There is a security bug in 'samba'.

This information is from 'vendor-sec'.

This bug is NOT PUBLIC.

The coordinated release date (CRD) is: 2007-12-05 10am CET

More information can be found here:
	https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

CVE number: CVE-2007-6015
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6015


Original posting:


----- Forwarded message from Secunia Research <vuln@secunia.com> -----

From: Secunia Research <vuln@secunia.com>
To: security@samba.org, vendor-sec@lst.de
Cc: vuln@secunia.com
Subject: [vendor-sec] Samba "send_mailslot()" Buffer Overflow Vulnerability
Errors-To: vendor-sec-admin@lst.de
Date: Thu, 22 Nov 2007 15:48:31 +0100

Hello,

Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"send_mailslot()" function. This can be exploited to cause a stack-based
buffer overflow with zero bytes via a specially crafted "SAMLOGON"
domain logon packet containing a username string placed at an odd offset
followed by an overly long GETDC string.

Successful exploitation allows execution of arbitrary code, but requires
that the "domain logon" option is enabled.

The vulnerability is confirmed in version 3.0.27a. Other versions may
also be affected.

Vulnerability Details:
----------------------

The buffer overflow is triggered by the call to "set_message()" in
nmbd/nmbd_packets.c at line 1895. The "set_message()" function will call
a "memset()" to zero on "dgram->data" + 35 with a length bigger than the
available 576-35 bytes for an overly long total length for the SAMLOGON
GETDC, username, workgroup, and local hostname.

The vulnerability would at first glance be only triggerable in certain
unusual configurations with an overly long local workgroup or hostname
due to the limitations in size of the NetBIOS Datagram packet (576
bytes). However if an empty (two zero bytes) Unicode username is placed
at an odd offset within the SAMLOGON request, the "pull_ucs2_pstring()"
function called at line 365 in nmbd/nmbd_processlogon.c will convert the
whole GETDC string following the username into ascuser, allowing the
buffer overflow to take place in standard configurations.

Exploitation:
-------------

Secunia Research has created a PoC for the vulnerability, which is
available upon request.

The vulnerability can also be reproduced by sending a SAMLOGON request
with an empty username placed at an odd offset and an overly long GETDC
string (around 250 bytes).

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27760 and CVE
identifier CVE-2007-6015.

A preliminary disclosure date of 2007-12-05 10am CET has been set, where
the details will be publicly disclosed. However, we are naturally
prepared to push the disclosure date if you need more time to address
the vulnerability.

Please acknowledge receiving this e-mail and let us know when you expect
to fix the vulnerability.

Credits should go to:
Alin Rad Pop, Secunia Research.

Also, if you have any questions, then please don't hesitate to contact
me.
-- 
Alin Rad Pop
Security Specialist

Secunia 
Hammerensgade 4, 2. floor
DK-1267 Copenhagen K
Denmark

Phone  +45 7020 5144
Fax    +45 7020 5145

_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

----- End forwarded message -----

-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
	Die meisten Menschen wenden mehr Zeit und Kraft auf,
	um Probleme herumzureden, als sie anzupacken...
					-- Henry Ford I.