[SECURITY-L] [cais em cais.rnp.br: CAIS-Alerta: Nova vulnerabilidade no SAMBA]

Silvana Mieko Misuta mieko em ccuec.unicamp.br
Sex Abr 11 09:10:27 -03 2003 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Nova vulnerabilidade no SAMBA
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 10 Apr 2003 17:30:09 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta´ repassando o alerta divulgado pela empresa Digital Defense,
reportanto uma vulnerabilidade de "buffer overflow" no servidor Samba. Tal
vulnerabilidade poderia ser explorada remotamente por um atacante,
permitindo acesso privilegiado ao sistema.

O CAIS possui informacoes sobre a existencia de codigo malicioso que
explora essa vulnerabilidade, inclusive atraves da acao de um possivel
"worm".

Ressalta-se que esta vulnerabilidade e´ diferente da reportada pelo CAIS
no dia 16/03/2003, acessivel atraves da seguinte URL:

	. http://www.rnp.br/cais/alertas/2003/cais-alr-16032003.html

O Samba e' um servidor open source para diversos tipos de Unix, que prove
servicos de acesso a arquivos e impressoras, compativel com o "Microsoft
File and Printing Services".


Sistemas afetados:

As seguintes versoes do software foram confirmadas como vulneraveis:

	. Versoes anteriores a Samba 2.2.8a,
	. Versoes anteriores e incluindo a Samba 2.0.10,
	. Versoes anteriores a Samba-TNG 0.3.2

Ressalta-se que as versoes Samba 3.0 Alpha e versoes CVS do Samba-TNG *nao
estao vulneraveis*.


Correcoes disponiveis:

Recomenda-se fortemente fazer a atualização para a versão 2.2.8a, que pode
ser obtida através da seguinte URL:

	. http://www.samba.org/samba/download.html

Ou a partir de qualquer um dos seguintes sites de download listados em:

	. http://www.samba.org/samba

Ressalta-se que esta atualizacao corrige apenas a vulnerabilidade descrita
neste alerta. Um patch para as versoes 2.2.7a, 2.0.10 e anteriores que
corrige as vulnerabilidades mais recentes pode ser encontrada no seguinte
diretorio:

	. http://us2.samba.org/samba/ftp/patches/security/

As atualizacoes para o Samba-TNG podem ser encontradas na seguinte URL:

	. http://www.samba-tng.org/


Maiores informacoes:

	. http://www.digitaldefense.net/labs/advisories.html
	. http://us2.samba.org/samba/samba.html
	. http://www.ciac.org/ciac/bulletins/n-073.shtml


Regra do Snort

A seguinte regra pode ser usada para identificar tentativas de ataque à
essa vulnerabilidade:

alert tcp $ANY any -> $ANY 139 ( sid: 1000009; rev: 1; msg:
"netric/eSDee samba Exploit"; flow: to_server,established; content: "|00
D0 07 0C 00 D0 07 0C 00|"; content: "|90 90 90|"; content: "|D0 07 43 00
0C 00 14 08 01|"; depth: 120; classtype: attempted-admin;)


Identificador do CVE: CAN-2003-0201 (http://cve.mitre.org)


O CAIS recomenda aos administradores que atualizem seus sistemas com
urgencia.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


|------------------------------------------------------------------------------|
 Digital Defense Inc. Security Advisory DDI-1013        labs em digitaldefense.net
 http://www.digitaldefense.net/
|------------------------------------------------------------------------------|

Synopsis          : Buffer Overflow in Samba allows remote root compromise
Package           : Samba, Samba-TNG
Type              : Remote Root Compromise
Issue date        : 04-07-2003
Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10,  < Samba-TNG 0.3.2
Not Affected      : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG
CVE Id            : CAN-2003-0201

|------------------------------------------------------------------------------|


o Product description:
   Samba is an Open Source/Free Software suite that provides seamless file and
   print services to SMB/CIFS clients. Samba-TNG was originally a fork off of
   the Samba source tree, and aims at being a substitute for a Windows NT domain
   controller.


o Problem description:
   An anonymous user can gain remote root access due to a buffer overflow caused
   by a StrnCpy() into a char array (fname) using a non-constant length
   (namelen).

   StrnCpy(fname,pname,namelen);    /* Line 252 of smbd/trans2.c */

   In the call_trans2open function in trans2.c, the Samba StrnCpy function
   copies pname into fname using namelen. The variable namelen is assigned the
   value of strlen(pname)+1, which causes the overflow.

   The variable 'fname' is a _typedef_ pstring, which is a char with a size of
   1024. If pname is greater than 1024, you can overwrite almost anything you
   want past the 1024th byte that fits inside of sizeof(pname), or the value
   returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which should
   be around 2000 bytes.

   The Common Vulnerabilities and Exposures (CVE) project has assigned the name
   CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE
   list (http://cve.mitre.org), which standardizes names for security problems.


o Testing Environment:
   Tested against source compiles and binary packages of Samba from version
   2.2.5 to 2.2.8 on the following x86 platforms:

   Redhat Linux 7.1, 7.3, 8.0
   Gentoo Linux 1.4-rc3
   SuSe Linux 7.3
   FreeBSD 4.6, 4.8, 5.0
   Solaris 9


o Solutions and Workarounds:
   Upgrading to the latest version of Samba or Samba-TNG is the recommended
   solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG version
   0.3.2 are not vulnerable. There will be no new releases for the 2.0 line of
   Samba code. The only fix for Samba 2.0 is to apply the patches that Samba is
   providing.

   A workaround in the current source code for this specific vulnerability
   would be to modify the StrnCpy line found at line 250 in smbd/trans2.c in the
   Samba 2.2.8 source code:

   -StrnCpy(fname,pname,namelen);
   +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));

   As a result of this vulnerability being identified at least three others
   have also been found by the Samba team after reviewing similar usages in the
   source tree. One is a static overflow and the other two are heap overflows.
   Applying the fix above will only protect against the specific problem
   identified in this advisory. To fully protect yourself, you must apply the
   patches from Samba, or upgrade to 2.2.8a.

   Samba is available for download from: http://www.samba.org/
   Samba-TNG is available for download from: http://www.samba-tng.org/


o Exploit:
   An exploit named trans2root.pl has been posted on the Digital Defense, Inc.
   website. A quick udp based based scanner named nmbping.pl has also been
   posted to assist you in identifying Samba servers on your network. Both are
   available for download from the following URL:

   http://www.digitaldefense.net/labs/securitytools.html

   This exploit works against all distributions listed in the testing
   environment section. Usage is as follows:

   trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>

   This exploit should work against all x86 Linux, Solaris, and  FreeBSD hosts
   running the 2.2.x branch of Samba. Hosts with a non-executable stack are not
   vulnerable to this particular exploit. The exploit will cause the target host
   to connect back to the host running the exploit and spawn a root shell on the
   defined port (default is 1981).

   The scanner is very easy to use, and should detect and identify Samba and
   Windows SMB services. Usage is as follows:

   nmbping.pl <network/cidr>


o Forced Release:
   This vulnerability is being actively exploited in the wild. Digital Defense,
   Inc. discovered this bug by analyzing a packet capture of an attack against a
   host running Samba 2.2.8. The attack captured was performed on April 1st,
   2003. Samba users are urged to check their Samba servers for signs of
   compromise. Samba and Digital Defense, Inc. decided to release their
   advisories before all vendors had a chance to update their packages due to
   this vulnerability being actively exploited.


o Revision History:
   04-07-2003     Initial public release

   Latest revision available at:
   http://www.digitaldefense.net/labs/advisories.html


o Vendor Contact Information:
   04-03-2003     security em samba.org notified
   04-03-2003     elrond em samba-tng.org notified.
   04-03-2003     Samba Team responds via telephone, acknowledges vulnerability
   04-03-2003     Elrond of Samba-TNG responds and acknowledges vulnerability
   04-04-2003     Samba Team notifies vendorsec mailing list
   04-07-2003     Initial public release

o Thanks to:
   Elrond of Samba-TNG, The Samba Security Team, and everyone on the
   Digital Defense Inc., SECOPS team.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPpXUWOkli63F4U8VAQHqyAP/SJCk7FnGE0JgtWZweZDDCEviVGauu0SH
FzuQJd4NVxH4cGmYfHhsZQUADxZMhLEslNSQCUTwXNXAiAh/YdS4v1zrfrMnJkR8
TMRd3jlT744JKsU4Svv6hpvnJwmxe+ZROREu5uRdsreU5Q4K0+LJaLjJICgnpb9n
+sC62GHifDQ=
=gaa7
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L