Samba QFILEPATHINFO buffer overflow

samba-qfilepathinfo-bo (18070)

High Risk

Description:

Samba is vulnerable to a buffer overflow in the QFILEPATHINFO request handler. A remote authenticated attacker could send a specially-crafted TRANSACT2_QFILEPATHINFO request for a specific file name containing unicode characters to overflow a buffer and execute arbitrary code on the system.

Platforms Affected:

• Canonical, Ubuntu 4.10
• Conectiva, Linux 10
• FedoraProject, Fedora Core 2
• FedoraProject, Fedora Core 3
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 10.0 AMD64
• MandrakeSoft, Mandrake Linux 10.0
• MandrakeSoft, Mandrake Linux 10.1
• MandrakeSoft, Mandrake Linux 10.1 X86_64
• Novell, Linux Desktop 9
• OpenPKG, OpenPKG 2.1
• OpenPKG, OpenPKG 2.2
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 WS
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Samba, Samba 3.0 Alpha
• Samba, Samba 3.0.0
• Samba, Samba 3.0.1
• Samba, Samba 3.0.2
• Samba, Samba 3.0.2a
• Samba, Samba 3.0.3
• Samba, Samba 3.0.4
• Samba, Samba 3.0.4 R1
• Samba, Samba 3.0.5
• Samba, Samba 3.0.6
• Samba, Samba 3.0.7
• SCO, SCO UnixWare 7.1.4
• SuSE, Linux Enterprise Server 9
• SuSE, SuSE Linux 9.1
• SuSE, SuSE Linux 9.2
• Trustix, Secure Linux 2.1
• Trustix, Secure Linux 2.2
• Turbolinux, Turbolinux 10 Server

Remedy:

Upgrade to the latest version of Samba (3.0.8 or later), available from the Samba Download Web page. See References.

For SuSE Linux:
Upgrade to the latest Samba package, as listed below. Refer to SuSE Security Announcement SuSE-SUSE-SA:2004:040 for more information. See References.

SuSE Linux 9.1: 3.0.7-5.2 or later
SuSE Linux 9.2: 3.0.4-1.34.3 or later

For Trustix Secure Linux:
Upgrade to the latest samba package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0058 for more information. See References.

Trustix Secure Linux 2.2: 3.0.7-2tr or later
Trustix Secure Linux 2.1: 3.0.7-2tr or later

For Red Hat Linux:
Upgrade to the latest samba package, as listed below. Refer to RHSA-2004:632-17 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 2.2.12-1.21as.1 or later
Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 3.0.7-1.3E.1.x86_64 or later

For Mandrake Linux:
Upgrade to the latest samba package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:136 for more information. See References.

Mandrake Linux 10.0: 3.0.6-4.3.100mdk or later
Mandrake Linux 10.1: 3.0.7-2.2.101mdk or later

For Conectiva Linux:
Upgrade to the latest samba package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:899 for more information. See References.

Conectiva Linux 10.0: 3.0.7-62749U10_6cl or later

For Ubuntu Linux:
Upgrade to the latest samba package (3.0.7-1ubuntu6.2 or later), as listed in USN-29-1. See References.

For Fedora Core 3:
Upgrade to the latest samba package (3.0.9-1.fc3 or later), as listed in Fedora Update Notification FEDORA-2004-460. See References.

For Fedora Core 2:
Upgrade to the latest samba package (3.0.9-1.fc2 or later), as listed in Fedora Update Notification FEDORA-2004-459. See References.

For TurboLinux:
Upgrade to the latest samba package, as listed below. Refer to TurboLinux Security Advisory TLSA-2004-32 for more information. See References.

TurboLinux 10 Server: 3.0.6-9 or later

For SCO UnixWare 7.1.4:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.17. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.054 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• CIAC Information Bulletin P-038, Samba Vulnerabilities at http://www.ciac.org/ciac/bulletins/p-038.shtml.
• Conectiva Linux Security Announcement CLSA-2004:899, Fix for Samba's denial of service vulnerability at http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000899.
• Fedora Update Notification FEDORA-2004-459, samba-3.0.9-1.fc2 update at http://www.linuxsecurity.com/content/view/106941/102/.
• Fedora Update Notification FEDORA-2004-460, samba-3.0.9-1.fc3 update at http://www.linuxsecurity.com/content/view/106942/102/.
• Samba Download Web page, Download Samba at http://www.samba.org/samba/download/.
• SCO Security Advisory SCOSA-2005.17, UnixWare 7.1.4 : Samba multiple security issues at ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.17/SCOSA-2005.17.txt.
• Securiteam, Samba 3.x QFILEPATHINFO unicode filename buffer overflow at http://www.securiteam.com/unixfocus/6T00H1FBPG.html.
• Trustix Secure Linux Security Advisory #2004-0058, Various security fixes at http://www.trustix.net/errata/2004/0058/.
• BID-11678: Samba QFILEPATHINFO Unicode Filename Remote Buffer Overflow Vulnerability
• CVE-2004-0882: Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small maximum data bytes value.
• GLSA-200411-21: Samba: Multiple vulnerabilities
• MDKSA-2004:136: Updated samba packages fix remote vulnerability
• OpenPKG-SA-2004.054: Samba
• RHSA-2004-632: samba security update
• SA13189: Samba QFILEPATHINFO Request Handler Buffer Overflow Vulnerability
• SECTRACK ID: 1012235: Samba QFILEPATHINFO Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
• SUSE-SA:2004:040: samba: remote denial of service

Reported:

Nov 15, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page