CVE-2002-1318
CVSS10.0
发布时间 :2002-12-11 00:00:00
修订时间 :2016-10-17 22:25:51
NMCOS    

[原文]Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.


[CNNVD]Samba Server加密密码远程缓冲区溢出漏洞(CNNVD-200212-016)

        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。
        Samba服务程序没有正确检查加密密码更改请求的长度,远程攻击者可以利用这个漏洞发送恶意请求而触发缓冲区溢出,以root用户权限在系统上执行任意指令。
        客户端发送一加密密码,当加密密码过长的情况下可导致在smbd堆栈上发生缓冲区溢出。samba服务程序在当从DOS代码页(code-page)转换为低端字节序(little endian)USC2 unicode时,没有对缓冲区长度进行检查,精心构建请求数据可能以root用户权限在系统上执行任意指令。
        根据报告,部分由pam_smbpass PAM模块实现的应用程序可本地利用,也可能远程触发以超级管理员权限执行任意指令。
        目前尚未发现有可利用代码存在。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:hp:cifs-9000_server:a.01.08.01HP CIFS_9000 Server A.01.08.01
cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/o:sgi:irix:6.5.15SGI IRIX 6.5.15
cpe:/o:sgi:irix:6.5.18SGI IRIX 6.5.18
cpe:/a:samba:samba:2.2.3Samba 2.2.3
cpe:/a:samba:samba:2.2.2Samba 2.2.2
cpe:/a:samba:samba:2.2.5Samba 2.2.5
cpe:/a:samba:samba:2.2.4Samba 2.2.4
cpe:/a:samba:samba:2.2.6Samba 2.2.6
cpe:/o:sgi:irix:6.5.2SGI IRIX 6.5.2
cpe:/o:sgi:irix:6.5.7SGI IRIX 6.5.7
cpe:/o:sgi:irix:6.5.8SGI IRIX 6.5.8
cpe:/o:sgi:irix:6.5.5SGI IRIX 6.5.5
cpe:/o:sgi:irix:6.5.3SGI IRIX 6.5.3
cpe:/o:sgi:irix:6.5.4SGI IRIX 6.5.4
cpe:/o:sgi:irix:6.5.1SGI IRIX 6.5.1
cpe:/o:sgi:irix:6.5.11SGI IRIX 6.5.11
cpe:/o:sgi:irix:6.5.16SGI IRIX 6.5.16
cpe:/a:hp:cifs-9000_server:a.01.08HP CIFS_9000 Server A.01.08
cpe:/o:sgi:irix:6.5.17SGI IRIX 6.5.17
cpe:/o:sgi:irix:6.5.14SGI IRIX 6.5.14
cpe:/o:sgi:irix:6.5.6SGI IRIX 6.5.6
cpe:/o:sgi:irix:6.5.12SGI IRIX 6.5.12
cpe:/o:sgi:irix:6.5.13SGI IRIX 6.5.13
cpe:/o:sgi:irix:6.5.10SGI IRIX 6.5.10
cpe:/o:sgi:irix:6.5.9SGI IRIX 6.5.9
cpe:/a:hp:cifs-9000_server:a.01.09HP CIFS_9000 Server A.01.09

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1467Samba Encrypted Password DoS
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1318
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1318
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-016
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20021204-01-I
(UNKNOWN)  SGI  20021204-01-I
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000550
(UNKNOWN)  CONECTIVA  CLA-2002:550
http://marc.info/?l=bugtraq&m=103801986818076&w=2
(UNKNOWN)  BUGTRAQ  20021121 GLSA: samba
http://marc.info/?l=bugtraq&m=103859045302448&w=2
(UNKNOWN)  BUGTRAQ  20021129 [OpenPKG-SA-2002.012] OpenPKG Security Advisory (samba)
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/53580
(UNKNOWN)  SUNALERT  53580
http://us1.samba.org/samba/whatsnew/samba-2.2.7.html
(VENDOR_ADVISORY)  CONFIRM  http://us1.samba.org/samba/whatsnew/samba-2.2.7.html
http://www.ciac.org/ciac/bulletins/n-019.shtml
(UNKNOWN)  CIAC  N-019
http://www.ciac.org/ciac/bulletins/n-023.shtml
(UNKNOWN)  CIAC  N-023
http://www.debian.org/security/2002/dsa-200
(VENDOR_ADVISORY)  DEBIAN  DSA-200
http://www.kb.cert.org/vuls/id/958321
(UNKNOWN)  CERT-VN  VU#958321
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-081.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:081
http://www.novell.com/linux/security/advisories/2002_045_samba.html
(UNKNOWN)  SUSE  SuSE-SA:2002:045
http://www.redhat.com/support/errata/RHSA-2002-266.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:266
http://www.securityfocus.com/bid/6210
(VENDOR_ADVISORY)  BID  6210
http://xforce.iss.net/xforce/xfdb/10683
(VENDOR_ADVISORY)  XF  samba-password-change-bo(10683)

- 漏洞信息

Samba Server加密密码远程缓冲区溢出漏洞
危急 边界条件错误
2002-12-11 00:00:00 2005-05-13 00:00:00
远程  
        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。
        Samba服务程序没有正确检查加密密码更改请求的长度,远程攻击者可以利用这个漏洞发送恶意请求而触发缓冲区溢出,以root用户权限在系统上执行任意指令。
        客户端发送一加密密码,当加密密码过长的情况下可导致在smbd堆栈上发生缓冲区溢出。samba服务程序在当从DOS代码页(code-page)转换为低端字节序(little endian)USC2 unicode时,没有对缓冲区长度进行检查,精心构建请求数据可能以root用户权限在系统上执行任意指令。
        根据报告,部分由pam_smbpass PAM模块实现的应用程序可本地利用,也可能远程触发以超级管理员权限执行任意指令。
        目前尚未发现有可利用代码存在。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:550)以及相应补丁:
        CLA-2002:550:samba
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000550

        补丁下载:
        tp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-2.0.9-2U60_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-clients-2.0.9-2U60_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-doc-2.0.9-2U60_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-swat-2.0.9-2U60_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/samba-2.0.9-2U60_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-2.2.1a-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-clients-2.2.1a-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-codepagesource-2.2.1a-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-common-2.2.1a-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-doc-2.2.1a-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-swat-2.2.1a-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/samba-2.2.1a-1U70_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-2.2.3a-2U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-clients-2.2.3a-2U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-codepagesource-2.2.3a-2U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-common-2.2.3a-2U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-doc-2.2.3a-2U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-swat-2.2.3a-2U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/samba-2.2.3a-2U80_1cl.src.rpm
        Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
        - 把以下的文本行加入到/etc/apt/sources.list文件中:
        
        rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
        (如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
        - 执行: apt-get update
        - 更新以后,再执行: apt-get upgrade
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-200-1)以及相应补丁:
        DSA-200-1:Samba buffer overflow
        链接:
        http://www.debian.org/security/2002/dsa-200

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.dsc

        Size/MD5 checksum: 1469 5db10f38dc411972fed1e8e79ac9e2cb
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz

        Size/MD5 checksum: 5460531 b6ec2f076af69331535a82b586f55254
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.diff.gz

        Size/MD5 checksum: 116834 55b9c9ed1e423608838b5493eec9f727
        Architecture independent packages:
        
        http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12_all.deb

        Size/MD5 checksum: 2446440 dca2cc174c245ee12e601f1ba2b115e9
        alpha architecture (DEC Alpha)
        
        http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 415200 163bd412f5fd1ec9a2a125e0b1b024ba
        
        http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 598938 037ca8de5dbf1462e0c17a88c7cd35bc
        
        http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 946742 47bdd6c9a6088326e6842265e3de6f8e
        
        http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 1130570 8f88729028cd3cd368435bc5feb282fb
        
        http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 622300 c22e7b482598b6c61a99410d50e1c0d6
        
        http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 488062 858e115dc3176c975c096e1328c08d49
        
        http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 1105314 0bd614d744080ebd3383898871f73fd3
        
        http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 1153962 8d1fcb828d6640136aaa93397fef3a4c
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_alpha.deb

        Size/MD5 checksum: 2951852 f880e61a41534119a50a9ae282212421
        arm architecture (ARM)
        
        http://security.debian.org/

- 漏洞信息

14525
Samba Encrypted Password String Conversion Decryption Overflow DoS
Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2002-11-20 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.2.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Samba Server Encrypted Password Buffer Overrun Vulnerability
Boundary Condition Error 6210
Yes No
2002-11-20 12:00:00 2009-07-11 07:16:00
Discovery of this vulnerability is credited to Steve Langasek and Eloy Paris.

- 受影响的程序版本

Trustix Secure Linux 1.5
Sun Solaris 9_x86
Sun Solaris 9
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
Samba Samba 2.2.6
+ Mandriva Linux Mandrake 9.0
Samba Samba 2.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X 10.2
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc3
+ HP CIFS/9000 Server A.01.09.02
+ HP CIFS/9000 Server A.01.09.01
+ HP CIFS/9000 Server A.01.09.01
+ HP CIFS/9000 Server A.01.09
+ HP CIFS/9000 Server A.01.09
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08
+ HP CIFS/9000 Server A.01.08
+ HP CIFS/9000 Server A.01.07
+ HP CIFS/9000 Server A.01.07
+ HP CIFS/9000 Server A.01.06
+ HP CIFS/9000 Server A.01.06
+ HP CIFS/9000 Server A.01.05
+ HP CIFS/9000 Server A.01.05
+ OpenPKG OpenPKG 1.1
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i686
+ RedHat Linux 8.0 i686
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
Samba Samba 2.2.5
+ RedHat Linux 8.0
Samba Samba 2.2.4
+ Slackware Linux 8.1
Samba Samba 2.2.3 a
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
Samba Samba 2.2.3 a
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
Samba Samba 2.2.3
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X Server 10.2.4
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Samba Samba 2.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 7.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 6.0
+ HP CIFS/9000 Server A.01.09
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08
+ HP CIFS/9000 Server A.01.08
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ OpenPKG OpenPKG 1.0
+ OpenPKG OpenPKG 1.0
Samba Samba 2.2.1 a
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.3
+ Sun Linux 5.0
+ Sun LX50
Samba Samba 2.2.1 a
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 i386
Samba Samba 2.2 .0a
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2
+ Slackware Linux 8.0
+ Slackware Linux 8.0
Samba Samba 2.2 .0
- S.u.S.E. Linux 7.2
HP CIFS/9000 Server A.01.09
HP CIFS/9000 Server A.01.08.01
HP CIFS/9000 Server A.01.08
FreeRADIUS FreeRADIUS 0.9.3
FreeRADIUS FreeRADIUS 0.9.2
FreeRADIUS FreeRADIUS 0.9.1
FreeRADIUS FreeRADIUS 0.9
FreeRADIUS FreeRADIUS 0.8.1
FreeRADIUS FreeRADIUS 0.8
Samba Samba 2.2.7
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ Sun Linux 5.0.6
+ Sun Solaris 9_x86
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun Solaris 9
HP CIFS/9000 Server A.01.09.01

- 不受影响的程序版本

Samba Samba 2.2.7
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ Sun Linux 5.0.6
+ Sun Solaris 9_x86
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun Solaris 9
HP CIFS/9000 Server A.01.09.01

- 漏洞讨论

A buffer overrun condition has been discovered in the password change request routine used in Samba. Due to insufficient bounds checking of user supplied input, is possible to trigger this condition by passing smbd an encrypted password of excessive length.

It has been reported that applications implementing the pam_smbpass PAM module are locally exploitable. It may also be possible to trigger this condition remotely, potentially resulting in the execution of arbitrary code with super user privileges.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Slackware has released an advisory containing fixes. Information about obtaining and applying fixes can be found in the referenced advisory.

SuSE has released an advisory containing fixes. Information about obtaining and applying fixes can be found in the referenced advisory.

Gentoo has released an advisory. It is recommended that all Gentoo Linux users who are running net-fs/samba-2.2.5-r1 and earlier update their systems as follows:

emerge rsync
emerge samba
emerge clean

RedHat has released a security advisory (RHSA-2002:266-05) including fixes which address this issue.

Debian has released a security advisory (DSA-200-1) including fixes which address this issue.

Trustix has released a security advisory including fixes which address this issue.

Mandrake has relased an advisory including fixes which address this issue. Information about obtaining and applying fixes are available in the referenced advisory.

SGI has released an advisory. SGI recommends that users, who require the use of Samba, upgrade to version 2.2.7 of Samba.

HP has released an advisory recommending that users upgrade to CIFS/9000 server A.01.09.01.

Samba 2.2.7 is not vulnerable to this issue. Users are advised to upgrade to the latest version of Samba.

Apple has reported that Directory Services are used for authentication in MacOS X and the vulnerable Samba function is not called. However, Apple has included patches for this issue in MacOS X 10.2.4/MacOS X Server 10.2.4 as a preventative measure.

This problem has been acknowledged in FreeRADIUS. The vendor has stated that this issue has been resolved in CVS, and will be fixed in future releases of the software.

Fixes are available:


HP CIFS/9000 Server A.01.09

HP CIFS/9000 Server A.01.08.01

HP CIFS/9000 Server A.01.08

Sun Solaris 9

Sun Solaris 9_x86

Samba Samba 2.2 .0

Samba Samba 2.2 .0a

Samba Samba 2.2.1 a

Samba Samba 2.2.2

Samba Samba 2.2.3

Samba Samba 2.2.3 a

Samba Samba 2.2.4

Samba Samba 2.2.5

Samba Samba 2.2.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站