CERT-In Vulnerability Note CIVN-2008-74
Vulnerability in Solaris Samba Domain logons

Original Issue Date: June 06, 2008

Severity Rating: High

System Affected

• Solaris 9 with Samba 3.0.0 through 3.0.27a
• Solaris 10 with Samba 3.0.0 through 3.0.27a

Overview

It has been reported that the Samba "send_mailslot()" function contains a stack-based buffer overflow vulnerability which could be exploited by a remote attacker to execute arbitrary code.

Description

Samba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). A stack-based buffer overflow vulnerability exists in the “nmbd” program of Samba suite. Because of the vulnerability, the send_mailslot() function of “nmbd” program is not able to do proper processing of SAMLOGON packets. By sending a SAMLOGON domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string, an attacker could then overflow the stack.

Workaround

• Modify the "domain logons" entry in the /etc/sfw/smb.conf file to "no" and restart the server as suggested by vendor at the following:
  
  http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-238251-1

Solutions

Vendor has suggested the following patches:

• SPARC Platform
  • Solaris 10 with patch 119757-10 or later
    
• x86 Platform
  • Solaris 10 with patch 119758-10 or later

Vendor Information

SUN
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-238251-1

References

SecurityFocus
http://www.securityfocus.com/bid/26791

Secunia
http://secunia.com/advisories/27760/

SecuriTeam
http://www.securiteam.com/exploits/6B00B1PKKU.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003