CVE-2004-0808
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:49:12
NMCOP    

[原文]The process_logon_packet function in the nmbd server for Samba 3.0.6 and earlier, when domain logons are enabled, allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided.


[CNNVD]Samba多个ASN.1和MailSlot解析模块远程拒绝服务漏洞(CNNVD-200412-239)

        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。
        smbd对多个畸形请求缺少正确处理,远程攻击者可以利用这个漏洞使服务程序消耗大量资源,进行拒绝服务攻击。
        未授权攻击者可以发送畸形请求,每个请求派生一个新进程,每个新进程进入无限循环,可导致服务程序崩溃。此类攻击只需要少量带宽,每个请求只需358字节,超过4000个请求可导致512M RAM、512SWAP的RedHat Fedora Core 1机器崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:samba:samba:3.0.4Samba 3.0.4
cpe:/a:samba:samba:3.0.4:rc1Samba 3.0.4 release candidate 1
cpe:/a:samba:samba:3.0.3Samba 3.0.3
cpe:/a:samba:samba:3.0.2Samba 3.0.2
cpe:/a:samba:samba:3.0.1Samba 3.0.1
cpe:/a:samba:samba:3.0.0Samba 3.0.0
cpe:/a:samba:samba:3.0.2aSamba 3.0.2a
cpe:/a:samba:samba:3.0Samba 3.0
cpe:/a:samba:samba:3.0.6Samba 3.0.6
cpe:/a:samba:samba:3.0.5Samba 3.0.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10344The process_logon_packet function in the nmbd server for Samba 3.0.6 and earlier, when domain logons are enabled, allows remote attackers to...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0808
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0808
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-239
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000873
(PATCH)  CONECTIVA  CLA-2004:873
http://marc.info/?l=bugtraq&m=109509335230495&w=2
(UNKNOWN)  BUGTRAQ  20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808)
http://marc.info/?l=bugtraq&m=109526231623307&w=2
(UNKNOWN)  BUGTRAQ  20040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba)
http://www.gentoo.org/security/en/glsa/glsa-200409-16.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200409-16
http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20040913 Samba nmbd Invalid Length Denial of Service Vulnerability
http://www.redhat.com/support/errata/RHSA-2004-467.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:467
http://www.trustix.net/errata/2004/0046/
(VENDOR_ADVISORY)  TRUSTIX  2004-0046

- 漏洞信息

Samba多个ASN.1和MailSlot解析模块远程拒绝服务漏洞
中危 设计错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。
        smbd对多个畸形请求缺少正确处理,远程攻击者可以利用这个漏洞使服务程序消耗大量资源,进行拒绝服务攻击。
        未授权攻击者可以发送畸形请求,每个请求派生一个新进程,每个新进程进入无限循环,可导致服务程序崩溃。此类攻击只需要少量带宽,每个请求只需358字节,超过4000个请求可导致512M RAM、512SWAP的RedHat Fedora Core 1机器崩溃。
        

- 公告与补丁

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:092)以及相应补丁:
        MDKSA-2004:092:Updated samba packages fix multiple vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-092.php

        补丁下载:
        Updated Packages:
        Mandrakelinux 10.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libsmbclient0-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libsmbclient0-devel-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libsmbclient0-static-devel-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/nss_wins-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-client-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-common-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-doc-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-passdb-mysql-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-passdb-pgsql-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-passdb-xml-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-server-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-swat-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-winbind-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/samba-3.0.6-4.1.100mdk.src.rpm
        Mandrakelinux 10.0/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64smbclient0-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64smbclient0-devel-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64smbclient0-static-devel-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/nss_wins-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-client-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-common-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-doc-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-passdb-mysql-3.0.6-4.1.100mdk.amd64.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        Samba
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Samba Patch patch-3.0.5-3.0.6.diffs.gz
        
        http://us4.samba.org/samba/ftp/patches/security/patch-3.0.5-3.0.6.diffs.gz

- 漏洞信息 (F34345)

09.13.04a.txt (PacketStormID:F34345)
2004-09-15 00:00:00
 
advisory,remote
CVE-2004-0808
[点击下载]

iDEFENSE Security Advisory 09.13.04a - Remote exploitation of an input validation error in Samba allows an attacker to crash the Samba nmbd server. The vendor has confirmed that Samba 3.0.x prior to and including v3.0.6 are vulnerable.

Samba nmbd Invalid Length Denial of Service Vulnerability

iDEFENSE Security Advisory 09.13.04a
www.idefense.com/application/poi/display?id=138&type=vulnerabilities
September 13, 2004

I. BACKGROUND

Samba is a software suite that provides file and print services to
SMB/CIFS clients, such as Microsoft Windows platforms. For more
information see:

http://www.samba.org/

II. DESCRIPTION

Remote exploitation of an input validation error in Samba allows an
attacker to crash the Samba nmbd server. The nmbd is a server, typically
listening on UDP port 138, understands and can reply to NetBIOS over IP
name service requests, and participates in the browsing protocols that
comprise the Windows "Network Neighborhood" view. Due to an input
validation error, a malformed UDP packet can cause the nmbd server to
crash while attempting to access memory outside of what is available.
The vulnerability specifically exists in the process_logon_packet()
function when it handles a SAM_UAS_CHANGE request. Part of this packet
contains a count of the number of structures that follow. No check is
made against the length of the packet to determine whether it is
possible to have as many structures in it as it claims. If a large value
is supplied, but a small number of structures are supplied, nmbd will
reference memory outside of the packet it has been supplied. This may
cause the nmbd process to crash.

The following is a trace of exploitation, showing the server no longer
responding to an nmblookup. The nmblookup tool is used to query NetBIOS
names and map them to IP addresses.

sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
        FEDORA1         <00> -         B <ACTIVE>
        FEDORA1         <03> -         B <ACTIVE>
        FEDORA1         <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        MYGROUP         <00> - <GROUP> B <ACTIVE>
        MYGROUP         <1b> -         B <ACTIVE>
        MYGROUP         <1c> -         B <ACTIVE>
        MYGROUP         <1e> - <GROUP> B <ACTIVE>
 
sh-2.05b$ ./n 10.1.0.240 138 fedora1
 
Samba 3.x nmbd remote DoS exploit (0day)
 
Attacking 10.1.0.240:138 ..
Done, nmbd should be killed now.
sh-2.05b$ nmblookup -A 10.1.0.240
Looking up status of 10.1.0.240
 
sh-2.05b$

III. ANALYSIS

This vulnerability is only exploitable if the daemon has been configured
to process domain logons. This vulnerability does not allow arbitrary
code execution. When the nmbd process dies, it no longer returns
information about the server, and the host is no longer accessible by
referencing its name.

IV. DETECTION

iDEFENSE has confirmed Samba 3.0.2 is vulnerable. Analysis of the
source suggests that version 3.0.4 is also vulnerable. Samba 2.x does
not include the affected code and, therefore, is not affected by this
vulnerability. The line 'domain logons = yes' must also occur in
smb.conf for this issue to be exploitable. Note that removal of this
line from the configuration file, although it will prevent exploitation,
may also affect the Samba server's functionality.

The vendor has confirmed that Samba 3.0.x prior to and including v3.0.6
are vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this
issue. Removal of the line "domain logons = yes" from the smb.conf
file
for the server will prevent exploitation but may also affect the Samba
server's functionality.

VI. VENDOR RESPONSE

The patch file for Samba 3.0.5 addressing [the] bug
(samba-3.0.5-DoS.patch) can be downloaded from:

   http://download.samba.org/samba/ftp/patches/security/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the

names CAN-2004-0808 to these issues. This is a candidate for inclusion

in the CVE list (http://cve.mitre.org),
which standardizes names for 
security problems.

VIII. DISCLOSURE TIMELINE

09/02/2004   Initial vendor notification
09/02/2004   iDEFENSE clients notified
09/02/2004   Vendor response
09/13/2004   Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息 (F34334)

samba30x.txt (PacketStormID:F34334)
2004-09-13 00:00:00
 
advisory,denial of service
CVE-2004-0807,CVE-2004-0808
[点击下载]

Samba 3.0.x is susceptible to multiple denial of services bugs that can remotely crash the daemons nmbd and smbd.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject:	Samba 3.0.x Denial of Service Flaw

Summary:	(i) A DoS bug in smbd may allow an
		unauthenticated user to cause smbd to
		spawn new processes each one entering
		an infinite loop.  After sending a sufficient
		amount of packets it is possible to exhaust
		the memory resources on the server.

		(ii) A DoS bug in nmbd may allow an attacker
		to remotely crash the nmbd daemon.

Affected
Versions:	Defect (i) affects Samba 3.0.x prior to and
		including v3.0.6.

		Defect (ii) affects Samba 3.0.x prior to
		and including v3.0.6.

Patch
Availability:	The patch file for Samba 3.0.5 addressing both
		bugs (samba-3.0.5-DoS.patch) can be downloaded
		from
		http://download.samba.org/samba/ftp/patches/security/


Description
- -----------

CAN-2004-0807: A defect in smbd's ASN.1 parsing allows an
attacker to send a specially crafted packet during the
authentication request which will send the newly spawned
smbd process into an infinite loop.  Given enough of these
packets, it is possible to exhaust the available memory
on the server.

CAN-2004-0808: A defect in nmbd's process of mailslot packets
can allow an attacker to anonymously crash nmbd.


Protecting Unpatched Servers
- ----------------------------

The Samba Team always encourages users to run the latest stable
release as a defense of against attacks.  However, under certain
circumstances it may not be possible to immediately upgrade
important installations.  In such cases, administrators should
read the "Server Security" documentation found at
http://www.samba.org/samba/docs/server_security.html.


Credits
- --------

Both security issues were reported to Samba developers by
iDEFENSE (http://www.idefense.com/).  The defect discovery
was anonymously reported to iDEFENSE via their Vulnerability
Contributor Program (http://www.idefense.com/poi/teams/vcp.jsp).


- --
Our Code, Our Bugs, Our Responsibility.


				-- The Samba Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBRYrsIR7qMdg1EfYRAs0vAKDWgtClvlXUp0K8vcXCpBX4Rxs8/QCeLn42
a36LLoki3iL2l5veoMUAXso=
=LT1R
-----END PGP SIGNATURE-----
    

- 漏洞信息

9917
Samba nmbd process_logon_packet Function Remote DoS
Remote / Network Access Denial of Service
Loss of Availability

- 漏洞描述

Samba contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a malformed UDP packet and will result in loss of availability for Samba's nmbd daemon. The process_logon_packet function does not properly validate that the packet is appropriately sized to contain the number of structures it claims, when processing a SAM_UAS_CHANGE request. If the packet claims a large number of structures and a smaller number are contained in the packet, nmbd will reference memory outside of the packet, possibly causing the daemon to crash.

- 时间线

2004-09-13 2004-09-02
Unknow Unknow

- 解决方案

Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. If an upgrade is not a possibility, apply the samba-3.0.5-DoS.patch. Additionally, removing the line "domain logons = yes" from the smb.conf file for the server will prevent exploitation.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站