Samba and Samba-TNG call_trans2open() function buffer overflow

samba-calltrans2open-bo (11726)

High Risk

Description:

Samba is vulnerable to a buffer overflow in the call_trans2open() function. By supplying a string containing more than 1024 bytes to the pname variable, a remote attacker could overflow a buffer and gain root access on the system.

Platforms Affected:

• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• Debian, Debian Linux 2.2
• Debian, Debian Linux 3.0
• FreeBSD, FreeBSD Ports Collection
• HP, CIFS-9000 Server A.01.09
• HP, CIFS-9000 Server A.01.09.01
• HP, CIFS-9000 Server A.01.09.02
• HP, HP-UX 11.00
• HP, HP-UX 11.11
• HP, HP-UX 11.22
• Immunix, Immunix OS 7+-beta
• Immunix, Immunix OS 7.0
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux 9.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Samba, Samba 2.0.0
• Samba, Samba 2.0.1
• Samba, Samba 2.0.10
• Samba, Samba 2.0.2
• Samba, Samba 2.0.3
• Samba, Samba 2.0.4
• Samba, Samba 2.0.5
• Samba, Samba 2.0.6
• Samba, Samba 2.0.7
• Samba, Samba 2.0.8
• Samba, Samba 2.0.9
• Samba, Samba 2.2.0
• Samba, Samba 2.2.0a
• Samba, Samba 2.2.1a
• Samba, Samba 2.2.3a
• Samba, Samba 2.2.4
• Samba, Samba 2.2.5
• Samba, Samba 2.2.6
• Samba, Samba 2.2.7
• Samba, Samba 2.2.7a
• Samba, Samba 2.2.8
• Samba-TNG, Samba-TNG 0.3
• Samba-TNG, Samba-TNG 0.3.1
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• SCO, Caldera OpenServer 5.0.5
• SCO, Caldera OpenServer 5.0.6
• SCO, Caldera OpenServer 5.0.7
• SGI, IRIX 6.0
• SGI, IRIX 6.0.1
• SGI, IRIX 6.0.1 XFS
• SGI, IRIX 6.1
• SGI, IRIX 6.2
• SGI, IRIX 6.3
• SGI, IRIX 6.4
• SGI, IRIX 6.5
• SGI, IRIX 6.5.1
• SGI, IRIX 6.5.10
• SGI, IRIX 6.5.10f
• SGI, IRIX 6.5.10m
• SGI, IRIX 6.5.11
• SGI, IRIX 6.5.11f
• SGI, IRIX 6.5.11m
• SGI, IRIX 6.5.12
• SGI, IRIX 6.5.12f
• SGI, IRIX 6.5.12m
• SGI, IRIX 6.5.13
• SGI, IRIX 6.5.13f
• SGI, IRIX 6.5.13m
• SGI, IRIX 6.5.14
• SGI, IRIX 6.5.14f
• SGI, IRIX 6.5.14m
• SGI, IRIX 6.5.15
• SGI, IRIX 6.5.15f
• SGI, IRIX 6.5.15m
• SGI, IRIX 6.5.16
• SGI, IRIX 6.5.16f
• SGI, IRIX 6.5.16m
• SGI, IRIX 6.5.17
• SGI, IRIX 6.5.17f
• SGI, IRIX 6.5.17m
• SGI, IRIX 6.5.18
• SGI, IRIX 6.5.18f
• SGI, IRIX 6.5.18m
• SGI, IRIX 6.5.19
• SGI, IRIX 6.5.19f
• SGI, IRIX 6.5.19m
• SGI, IRIX 6.5.2
• SGI, IRIX 6.5.20
• SGI, IRIX 6.5.20f
• SGI, IRIX 6.5.20m
• SGI, IRIX 6.5.2f
• SGI, IRIX 6.5.2m
• SGI, IRIX 6.5.3
• SGI, IRIX 6.5.3f
• SGI, IRIX 6.5.3m
• SGI, IRIX 6.5.4
• SGI, IRIX 6.5.4f
• SGI, IRIX 6.5.4m
• SGI, IRIX 6.5.5
• SGI, IRIX 6.5.5f
• SGI, IRIX 6.5.5m
• SGI, IRIX 6.5.6
• SGI, IRIX 6.5.6f
• SGI, IRIX 6.5.6m
• SGI, IRIX 6.5.7
• SGI, IRIX 6.5.7f
• SGI, IRIX 6.5.7m
• SGI, IRIX 6.5.8
• SGI, IRIX 6.5.8f
• SGI, IRIX 6.5.8m
• SGI, IRIX 6.5.9
• SGI, IRIX 6.5.9f
• SGI, IRIX 6.5.9m
• Slackware, Slackware Linux 8.1
• Slackware, Slackware Linux 9.0
• Sun, Solaris 9
• SuSE, Linux Enterprise Server 8
• SuSE, SuSE eMail Server 3.1
• SuSE, SuSE eMail Server III
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• SuSE, SuSE Linux 8.0
• SuSE, SuSE Linux 8.1
• SuSE, SuSE Linux 8.2
• SuSE, SuSE Linux Connectivity Server
• SuSE, SuSE Linux Database Server
• SuSE, SuSE Linux Enterprise Server 7.0
• SuSE, SuSE Linux Firewall
• SuSE, SuSE Linux Office Server
• Trustix, Secure Linux 1.2
• Trustix, Secure Linux 1.5
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Advanced Server 6
• Turbolinux, Turbolinux Server 6.1
• Turbolinux, Turbolinux Server 6.5
• Turbolinux, Turbolinux Workstation 6.0

Remedy:

For Samba 2.2.5 through 2.2.8:
Upgrade to the latest version of Samba (2.2.8a or later), available from the Samba Web site. See References.

For Samba-TNG prior to 0.3.2:
Upgrade to the latest version of Samba-TNG (0.3.2 or later), when it becomes available from the Samba-TNG Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest samba package, as listed below. Refer to DSA-280-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 2.0.7-5.1 or later
Debian GNU/Linux 3.0 (woody): 2.2.3a-12.3 or later

For Red Hat Linux:
Upgrade to the latest samba package, as listed below. Refer to RHSA-2003:137-11 for more information. See References.

Red Hat 7.1: 2.0.10-5.7.1 or later
Red Hat 7.2: 2.2.7-3.7.2 or later
Red Hat 7.3: 2.2.7-3.7.3 or later
Red Hat 8.0: 2.2.7-5.8.0 or later
Red Hat 9: 2.2.7a-8.9.0 or later

For Trustix Secure Linux 1.2 and 1.5:
Upgrade to the latest samba package (2.2.8-3tr or later), as listed in Trustix Secure Linux Security Advisory #2003-0019. See References.

For SuSE Linux:
Upgrade to the latest samba package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2003:025 for more information. See References.

SuSE 8.2 (Intel): 2.2.7a-72 or later
SuSE 8.1 (Intel): 2.2.5-178 or later
SuSE 8.0 (Intel): 2.2.3a-172 or later
SuSE 7.3 (Intel): 2.2.1a-220 or later
SuSE 7.2 (Intel): 2.2.0a-52 or later
SuSE 7.1 (Intel): 2.0.10-32 or later
SuSE 7.3 (Sparc): 2.2.1a-76 or later
SuSE 7.1 (AXP Alpha): 2.0.10-23 or later
SuSE 7.3 (PPP Power PC): 2.2.1a-150 or later
SuSE 7.1 (PPP Power PC): 2.0.10-24 or later

For Slackware Linux:
Upgrade to the latest samba package, as listed below. Refer to slackware-security Mailing List, Mon 7 Apr 2003 15:50:22 -0700 (PDT) for more information. See References.

Slackware Linux 8.1 and 9.0: samba-2.2.8a-i386-1 or later

For Conectiva Linux:
Upgrade to the latest samba package, as listed below. Refer to Connectiva Linux Security Announcement CLSA-2003:624 for more information. See References.

Conectiva Linux 6.0: 2.0.9-2U60_4cl or later
Conectiva Linux 7.0: 2.2.8-1U70_2cl or later
Conectiva Linux 8: 2.2.8-1U80_3cl or later

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-03:01. See References.

For HP-UX 11.0 and 11.11:
Download and install the latest smbd file (11.00.r1 or later), as listed in Hewlett-Packard Company Security Bulletin HPSBUX0304-254. See References.

For HP-UX 11.22:
Upgrade to the latest version of HP CIFS/9000 Server (A.01.09.03 or later), when it becomes available from the Hewlett-Packard Company Web site. See References.

For Mandrake Linux:
Upgrade to the latest samba package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:044 : samba for more information. See References.

Mandrake Linux 8.2, 9.0, 9.1, Multi Network Firewall 8.2, and Corporate Server 2.1: 2.2.7a-9.2mdk or later

For SGI IRIX:
Upgrade to the latest version of IRIX (6.5.20 or later), or apply the appropriate patch for your system, as listed in SGI Security Advisory 20030403-01-P. See References.

For Immunix:
Upgrade to the latest version of samba (2.0.10-2_imnx_3 or later), as listed in Immunix Secured OS Security Advisory IMNX-2003-7+-006-01. See References.

For Caldera OpenLinux 3.1.1 (Workstation and Server):
Upgrade to the latest version of samba (2.2.2-7 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2003-017.0. See References.

For Sun Solaris 9:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 53581 for more information. See References.

Solaris 9 (Sparc): 114684-02 or later
Solaris 9 (Intel): 114685-02 or later

For Caldera OpenServer 5.0.5, 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.13.1. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• Caldera International, Inc. Security Advisory CSSA-2003-017.0, OpenLinux: Various serious Samba vulnerabilities at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-017.0.txt.
• CIAC Information Bulletin N-073, Samba 'call_trans2open' Remote Buffer Overflow Vulnerability at http://www.ciac.org/ciac/bulletins/n-073.shtml.
• Connectiva Linux Security Announcement CLSA-2003:624, samba at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000624.
• Digital Defense Inc. Security Advisory DDI-1013 , Buffer Overflow in Samba allows remote root compromise at http://www.digitaldefense.net/labs/advisories/DDI-1013.txt.
• FreeBSD Security Notice FreeBSD-SN-03:01, security issue in samba ports at http://www.linuxsecurity.com/advisories/freebsd_advisory-3128.html. (From LinuxSecurity archive)
• Immunix Secured OS Security Advisory IMNX-2003-7+-006-01, samba at http://www.linuxsecurity.com/advisories/immunix_advisory-3129.html. (From LinuxSecurity archive)
• Samba Web site, Samba - opening Windows to a wider world at http://samba.org/samba/samba.html.
• Samba-TNG Web site, "start page" at http://www.samba-tng.org/index.html.
• SCO Security Advisory CSSA-2003-SCO.13.1, OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : Samba security update available avaliable for download. at http://www.linuxsecurity.com/content/view/105345/98/. (From LinuxSecurity archive)
• SGI Security Advisory 20030403-01-P, Samba Security Vulnerability at ftp://patches.sgi.com/support/free/security/advisories/20030403-01-P.
• slackware-security Mailing List, Tue, Mon, 7 Apr 2003 15:50:22 -0700 (PDT), [slackware-security] Samba security problem fixed at http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.288636.
• Sun Alert ID: 53581, Security Vulnerability in Samba(7) versions 2.2.2 through 2.2.8 May Allow Remote User Unauthorized Privileges at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F53581&zone_32=category%3Asecurity.
• Trustix Secure Linux Security Advisory #2003-0019, samba -- Remote root exploit at http://www.trustix.net/errata/2003/0019/.
• BID-7294: Samba call_trans2open Remote Buffer Overflow Vulnerability
• CVE-2003-0201: Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
• DSA-280: samba -- buffer overflow
• MDKSA-2003:044: Updated samba packages fix remote root vulnerability
• OpenPKG-SA-2003.028: Samba
• RHSA-2003-137: New samba packages fix security vulnerability
• RHSA-2003-138: samba security update
• RHSA-2003-226: Updated samba packages fix security vulnerabilities
• SUSE-SA:2003:025: samba: remote root access

Reported:

Apr 07, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page