FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

samba -- potential leakage of arbitrary memory contents

Affected packages
3.0.29,1 <= ja-samba < 3.0.32_2,1
3.0.29,1 <= samba < 3.0.32_2,1
3.0.29,1 <= samba3 < 3.0.32_2,1
samba32-devel < 3.2.4_1

Details

VuXML ID 1583640d-be20-11dd-a578-0030843d3802
Discovery 2008-11-27
Entry 2008-11-29

Samba Team reports:

Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers and back using small SMB requests and contain two offsets: One offset (A) pointing into the PDU sent by the client and one (B) to direct the transferred contents into the buffer built on the server side. While the range checking for offset (B) is correct, a cut and paste error lets offset (A) pass completely unchecked against overflow.

The buffers passed into trans, trans2 and nttrans undergo higher-level processing like DCE/RPC requests or listing directories. The missing bounds check means that a malicious client can make the server do this higher-level processing on arbitrary memory contents of the smbd process handling the request. It is unknown if that can be abused to pass arbitrary memory contents back to the client, but an important barrier is missing from the affected Samba versions.

References

CVE Name CVE-2008-4314
URL http://secunia.com/advisories/32813/
URL http://www.samba.org/samba/security/CVE-2008-4314.html