samba: Integer overflow could lead to remote code execution in Samba

Automatically imported from Debian bug report #286023 http://bugs.debian.org/286023

Message-Id: <email address hidden>
Date: Fri, 17 Dec 2004 01:08:02 +0100
From: Ulf Theobald <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: samba: Integer overflow could lead to remote code execution in Samba

Package: samba
Severity: critical
Tags: security
Justification: root security hole

===========
Description
===========

Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could
allow an attacker to cause controllable heap corruption,
leading to execution of arbitrary commands with root
privileges.

Successful remote exploitation allows an attacker to
gain root privileges on a vulnerable system. In order
to exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba server.
Unsuccessful exploitation attempts will cause the process
serving the request to crash with signal 11, and may leave
evidence of an attack in logs.

==================
Patch Availability
==================

A patch for Samba 3.0.9 (samba-3.0.9-CAN-2004-1154.patch)
can be downloaded from

    http://www.samba.org/samba/ftp/patches/security/

    The patch has been signed with the "Samba Distribution
    Verification Key" (ID F17F9772).

Message-Id: <email address hidden>
Date: Fri, 17 Dec 2004 19:02:12 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Bug#286023: fixed in samba 3.0.10-1

Source: samba
Source-Version: 3.0.10-1

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:

libpam-smbpass_3.0.10-1_i386.deb
  to pool/main/s/samba/libpam-smbpass_3.0.10-1_i386.deb
libsmbclient-dev_3.0.10-1_i386.deb
  to pool/main/s/samba/libsmbclient-dev_3.0.10-1_i386.deb
libsmbclient_3.0.10-1_i386.deb
  to pool/main/s/samba/libsmbclient_3.0.10-1_i386.deb
python2.3-samba_3.0.10-1_i386.deb
  to pool/main/s/samba/python2.3-samba_3.0.10-1_i386.deb
samba-common_3.0.10-1_i386.deb
  to pool/main/s/samba/samba-common_3.0.10-1_i386.deb
samba-dbg_3.0.10-1_i386.deb
  to pool/main/s/samba/samba-dbg_3.0.10-1_i386.deb
samba-doc_3.0.10-1_all.deb
  to pool/main/s/samba/samba-doc_3.0.10-1_all.deb
samba_3.0.10-1.diff.gz
  to pool/main/s/samba/samba_3.0.10-1.diff.gz
samba_3.0.10-1.dsc
  to pool/main/s/samba/samba_3.0.10-1.dsc
samba_3.0.10-1_i386.deb
  to pool/main/s/samba/samba_3.0.10-1_i386.deb
samba_3.0.10.orig.tar.gz
  to pool/main/s/samba/samba_3.0.10.orig.tar.gz
smbclient_3.0.10-1_i386.deb
  to pool/main/s/samba/smbclient_3.0.10-1_i386.deb
smbfs_3.0.10-1_i386.deb
  to pool/main/s/samba/smbfs_3.0.10-1_i386.deb
swat_3.0.10-1_i386.deb
  to pool/main/s/samba/swat_3.0.10-1_i386.deb
winbind_3.0.10-1_i386.deb
  to pool/main/s/samba/winbind_3.0.10-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <email address hidden> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 17 Dec 2004 11:56:01 -0800
Source: samba
Binary: samba-doc libsmbclient libpam-smbpass swat winbind smbclient samba samba-common libsmbclient-dev samba-dbg python2.3-samba smbfs
Architecture: source i386 all
Version: 3.0.10-1
Distribution: unstable
Urgency: high
Maintainer: Eloy A. Paris <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Desription:
 libpam-smbpass - pluggable authentication module for SMB password database
 libsmbclient - shared library that allows applications to talk to SMB servers
 libsmbclient-dev - libsmbclient static libraries and headers
 python2.3-samba - Python bindings that allow access to various aspects of Samba
 samba - a LanManager-like file and printer server for Unix
 samba-common - Samba common files used by both the server and the client
 samba-dbg - Samba debugging symbols
 samba-doc - Samba documentation
 smbclient - a LanManager-like simple client for Unix
 smbfs - mount and umount commands for the smbfs (for ker...

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 07:38:50 -0800
From: Jefferson Cowart <email address hidden>
To: <email address hidden>
Subject: Problem Still present in woody

reopen 286023
tags 286023 +woody
thanks

While it appears this problem has been fixed in sid (and will soon be
fixed in Sarge), the problem is still present in woody. The bulletin
from upstream says that 2.2.x is vulnerable also. While they don't
provide a patch, hopefully a patch can be found for this issue as woody
has 2.2.3 (which therefore is vulnerable).

Message-ID: <email address hidden>
Date: Sun, 19 Dec 2004 13:29:40 +0100
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: CAN-2004-1154 proposed fix for woody

--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,
the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
etc. into macros with boundary checks. Backporting this to 2.2.3 seems
way too intrusive and error-prone, so may I suggest the following fix:

According to the iDefense advisory it exploits an integer overflow in the
allocation of memory in source/rpc_parse/parse_sec.c:218:
If psa->num_aces is larger than 38347922, the value of 38347922+1 multiplied
with the value of ace[0] (112) is larger than an unsigned integer and
it wraps around.

So, as there is no way in regular Samba operation that a user requests
more than 38 million ACL entries the simplest and least intrusive way to
prevent this seems to be a simple sanity check that caps psa->num_aces:

if (psa->num_aces > 38347922)
 psa->num_aces = 38347922;

Does this seem like an acceptable solution? I haven't evaluated all possible
call flow that leads to the vulnerable code, though.

Cheers,
        Moritz

--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="samba-can-2004-1154-proposed-fix.patch"

diff -Naur samba-2.2.3a.orig/source/rpc_parse/parse_sec.c samba-2.2.3a/source/rpc_parse/parse_sec.c
--- samba-2.2.3a.orig/source/rpc_parse/parse_sec.c 2002-02-03 01:46:50.000000000 +0100
+++ samba-2.2.3a/source/rpc_parse/parse_sec.c 2004-12-19 13:23:03.000000000 +0100
@@ -210,6 +210,10 @@
   return False;

  if (UNMARSHALLING(ps)) {
+ /* Prevent an integer overflow (CAN-2004-1154) */
+ if (psa->ace > 38347922)
+ psa->ace = 38347922;
+
   /*
    * Even if the num_aces is zero, allocate memory as there's a difference
    * between a non-present DACL (allow all access) and a DACL with no ACE's

--8t9RHnE3ZwKMSgU+--

Message-Id: <email address hidden>
Date: Mon, 27 Dec 2004 23:16:13 +1100
From: Andrew Bartlett <email address hidden>
To: Moritz Muehlenhoff <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286023: CAN-2004-1154 proposed fix for woody

--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2004-12-19 at 23:29, Moritz Muehlenhoff wrote:
> Hi,
> the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
> etc. into macros with boundary checks. Backporting this to 2.2.3 seems
> way too intrusive and error-prone, so may I suggest the following fix:
>=20
> According to the iDefense advisory it exploits an integer overflow in the
> allocation of memory in source/rpc_parse/parse_sec.c:218:
> If psa->num_aces is larger than 38347922, the value of 38347922+1 multipl=
ied
> with the value of ace[0] (112) is larger than an unsigned integer and
> it wraps around.
>=20
> So, as there is no way in regular Samba operation that a user requests
> more than 38 million ACL entries the simplest and least intrusive way to
> prevent this seems to be a simple sanity check that caps psa->num_aces:
>=20
> if (psa->num_aces > 38347922)
> psa->num_aces =3D 38347922;
>=20
> Does this seem like an acceptable solution? I haven't evaluated all possi=
ble
> call flow that leads to the vulnerable code, though.

I would suggest not. If you were to limit the number of ACL entries, I
would set it much lower, but there are just so many places this can
happen, and I'm sure there will be other bugs out there. I think SUSE
had (or was going to produce) a patch for their enterprise customers (in
a similar boat), so poke about in their SRPM when it's out (I've not
kept track).

Andrew Bartlett

--=20
Andrew Bartlett <email address hidden>
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College <email address hidden>

--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBz5Kcz4A8Wyi0NrsRAqgvAJ99fusMYkjRzxc3thCV9ttpfjv6EACgs2Vs
zgac/FjvM6A+quooTlIXK2c=
=pJrv
-----END PGP SIGNATURE-----

--=-Lh6Y1E0WVTj66O7SuBnQ--

Already fixed in Warty (USN-41-1) and Hoary.