The Samba-Bugzilla – Attachment 7421 Details for
Bug 8815
PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
draft of the advisory
samba-CVE-201201182.txt (text/plain), 2.75 KB, created by
Karolin Seeger
on 2012-04-02 18:06:35 UTC
(
hide
)
Description:
draft of the advisory
Filename:
MIME Type:
Creator:
Karolin Seeger
Created:
2012-04-02 18:06:35 UTC
Size:
2.75 KB
patch
obsolete
>=========================================================== >== Subject: "root" credential remote code execution. >== >== CVE ID#: CVE-2012-1182 >== >== Versions: Samba 3.0.x - 3.6.3 (inclusive) >== >== Summary: Samba 3.0.x to 3.6.3 are affected by a >== vulnerability that allows remote code >== execution as the "root" user. >== >=========================================================== > >=========== >Description >=========== > >Samba versions 3.6.3 and all versions previous to this are affected by >a vulnerability that allows remote code execution as the "root" user >from an anonymous connection. > >The code generator for Samba's remote procedure call (RPC) code >contained an error which caused it to generate code containing a >security flaw. This generated code is used in the parts of Samba that >control marshalling and unmarshalling of RPC calls over the network. > >The flaw caused checks on the variable containing the length of an >allocated array to be done independently from the checks on the >variable used to allocate the memory for that array. As both these >variables are controlled by the connecting client it makes it possible >for a specially crafted RPC call to cause the server to execute >arbitrary code. > >As this does not require an authenticated connection it is the most >serious vulnerability possible in a program, and users and vendors are >encouraged to patch their Samba installations immediately. > >================== >Patch Availability >================== > >Patches addressing this issue have been posted to: > > http://www.samba.org/samba/security/ > >Additionally, Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been issued as >security releases to correct the defect. Patches against older Samba >versions are available at: > > http://samba.org/samba/patches/ > >Samba administrators running affected versions are advised to upgrade >to 3.6.4, 3.5.14, or 3.4.16 or apply these patches as soon as >possible. > >Due to the seriousness of this vulnerability, patches have been >released for all Samba versions currently out of support and >maintenance from 3.0.37 onwards. > > >========== >Workaround >========== > >Samba contains a "hosts allow" parameter that can be used inside >smb.conf to restrict the clients allowed to connect to the server to a >trusted list. This can be used to help mitigate the problem caused by >this bug but it is by no means a real fix, as client addresses can be >easily faked. > > >======= >Credits >======= > >This vulnerability and proof of concept code was provided by Brian >Gorenc as well as an anonymous researcher working with HP's Zero Day >Initiative program. The Samba Team would like to thank them for >reporting the problem and their cooperation in this matter. > >Patches were provided by Stefan Metzmacher of the Samba team, based on >initial work by Volker Lendecke.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 8815
:
7389
|
7390
|
7391
|
7392
|
7393
|
7398
|
7399
|
7400
|
7418
|
7419
|
7420
| 7421 |
7426
|
7427
|
7428
|
7429
|
7430
|
7431
|
7432
|
7433
|
7436
|
7437