CVE-2004-0930
CVSS5.0
发布时间 :2005-01-27 00:00:00
修订时间 :2016-10-17 22:49:59
NMCOPS    

[原文]The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service (CPU consumption) via a SAMBA request that contains multiple * (wildcard) characters.


[CNNVD]Samba ms_fnmatch 拒绝服务漏洞(CNNVD-200501-303)

        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的开源程序。
        Samba3.0.4及3.0.7的ms_fnmatch函数存在缺陷,可导致拒绝服务攻击,在其他版本的Samba软件中,也可能存在该漏洞。
        远程通过认证的攻击者可通过包含多个'*'通配符的SAMBA请求,导致大量的CPU消耗,从而造成拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:redhat:enterprise_linux:3.0::advanced_server
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:conectiva:linux:10.0Conectiva Linux 10.0
cpe:/o:redhat:enterprise_linux:2.1::advanced_server_ia64
cpe:/a:sgi:samba:3.0::irix
cpe:/o:redhat:fedora_core:core_2.0
cpe:/o:redhat:fedora_core:core_3.0
cpe:/o:redhat:enterprise_linux:3.0::workstation_server
cpe:/o:redhat:enterprise_linux:2.1::workstation
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/a:samba:samba:3.0.4Samba 3.0.4
cpe:/a:samba:samba:3.0.3Samba 3.0.3
cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:samba:samba:3.0.0Samba 3.0.0
cpe:/a:sgi:samba:3.0.4::irix
cpe:/a:sgi:samba:3.0.3::irix
cpe:/a:sgi:samba:3.0.2::irix
cpe:/a:sgi:samba:3.0.1::irix
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server_ia64
cpe:/a:samba:samba:3.0.7Samba 3.0.7
cpe:/a:samba:samba:3.0.6Samba 3.0.6
cpe:/a:samba:samba:3.0.5Samba 3.0.5
cpe:/o:redhat:enterprise_linux:2.1::workstation_ia64
cpe:/o:redhat:linux_advanced_workstation:2.1::ia64
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium_processor
cpe:/a:sgi:samba:3.0.7::irix
cpe:/a:sgi:samba:3.0.6::irix
cpe:/a:sgi:samba:3.0.5::irix

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10936The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0930
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0930
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-303
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.17/SCOSA-2005.17.txt
(UNKNOWN)  SCO  SCOSA-2005.17
ftp://patches.sgi.com/support/free/security/advisories/20041201-01-P
(UNKNOWN)  SGI  20041201-01-P
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000899
(UNKNOWN)  CONECTIVA  CLA-2004:899
http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-03-21
http://marc.info/?l=bugtraq&m=109993720717957&w=2
(UNKNOWN)  BUGTRAQ  20041108 [SECURITY] CAN-2004-0930: Potential Remote Denial of Service Vulnerability
http://marc.info/?l=bugtraq&m=110022719024619&w=2
(UNKNOWN)  UBUNTU  USN-22-1
http://marc.info/?l=bugtraq&m=110330519803655&w=2
(UNKNOWN)  OPENPKG  OpenPKG-SA-2004.054
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101783-1
(UNKNOWN)  SUNALERT  101783
http://www.gentoo.org/security/en/glsa/glsa-200411-21.xml
(UNKNOWN)  GENTOO  GLSA 200411-21
http://www.idefense.com/application/poi/display?id=156&type=vulnerabilities&flashstatus=false
(VENDOR_ADVISORY)  IDEFENSE  20041108 Samba SMBD Remote Denial of Service Vulnerability
http://www.mandriva.com/security/advisories?name=MDKSA-2004:131
(UNKNOWN)  MANDRAKE  MDKSA-2004:131
http://www.novell.com/linux/security/advisories/2004_40_samba.html
(UNKNOWN)  SUSE  SUSE-SA:2004:040
http://www.securityfocus.com/bid/11624
(VENDOR_ADVISORY)  BID  11624
http://xforce.iss.net/xforce/xfdb/17987
(VENDOR_ADVISORY)  XF  samba-msfnmatch-dos(17987)

- 漏洞信息

Samba ms_fnmatch 拒绝服务漏洞
中危 输入验证
2005-01-27 00:00:00 2005-10-20 00:00:00
远程  
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的开源程序。
        Samba3.0.4及3.0.7的ms_fnmatch函数存在缺陷,可导致拒绝服务攻击,在其他版本的Samba软件中,也可能存在该漏洞。
        远程通过认证的攻击者可通过包含多个'*'通配符的SAMBA请求,导致大量的CPU消耗,从而造成拒绝服务。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.samba.org/samba/download/

- 漏洞信息 (F35080)

Trustix Secure Linux Security Advisory 2004.58 (PacketStormID:F35080)
2004-11-20 00:00:00
 
advisory
linux
CVE-2004-0941,CVE-2004-0990,CVE-2004-0882,CVE-2004-0930
[点击下载]

Trustix Secure Linux Security Advisory #2004-0058 - Various security fixes have been released for gd, samba, sqlgrey, and sudo.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0058

Package name:      gd samba sqlgrey sudo
Summary:           Various security fixes
Date:              2004-11-15
Affected versions: Trustix Secure Linux 1.5
                   Trustix Secure Linux 2.0
                   Trustix Secure Linux 2.1
                   Trustix Secure Linux 2.2
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gd:
  gd is a graphics library. It allows your code to quickly draw images
  complete with lines, arcs, text, multiple colors, cut and paste from
  other images, and flood fills, and write out the result as a PNG or
  JPEG file. This is particularly useful in World Wide Web applications,
  where PNG and JPEG are two of the formats accepted for inline images
  by most browsers.

  samba:
  Samba provides an SMB server which can be used to provide network
  services to SMB (sometimes called "Lan Manager") clients, including
  various versions of MS Windows, OS/2, and other Linux machines

  sqlgrey:
  SQLgrey is a Postfix grey-listing policy service with auto-white-listing
  written in Perl with SQL database as storage backend.

  sudo:
  Sudo (superuser do) allows a system administrator to give certain
  users (or groups of users) the ability to run some (or all) commands
  as root while logging all commands and arguments. Sudo operates on a
  per-command basis.  It is not a replacement for the shell.  Features
  include: the ability to restrict what commands a user may run on a
  per-host basis, copious logging of each command (providing a clear
  audit trail of who did what), a configurable timeout of the sudo
  command, and the ability to use the same configuration file (sudoers)
  on many different machines.


Problem description:

  gd:
  There has been found serveral overflows in gd.  This can be used to
  execute arbitary code in programs using the gd library.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0941 and CAN-2004-0990 to these issues.


  sqlgrey:
  Matt Linzbach made us aware that the maintainers of SQLgrey have issued
  a new release that fixes an SQL injection bug.


  samba:
  From the Samba advisory:
  Invalid bounds checking in reply to certain trans2 requests 
  could result in a buffer overrun in smbd.  In order to exploit 
  this defect, the attacker must be able to create files with very 
  specific Unicode filenames on the Samba share. 

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0882 to this issue.

  From the Samba advisory:
  A bug in the input validation routines used to match
  filename strings containing wildcard characters may allow
  a user to consume more than normal amounts of CPU cycles
  thus impacting the performance and response of the server.
  In some circumstances the server can become entirely
  unresponsive.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0930 to this issue.


  sudo:
  Bash exported functions and the CDPATH variable are now stripped from 
  the environment passed to the program to be executed. 




Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-1.5/>,
  <URI:http://www.trustix.org/errata/trustix-2.0/>,
  <URI:http://www.trustix.org/errata/trustix-2.1/> and
  <URI:http://www.trustix.org/errata/trustix-2.2/>
  or directly at
  <URI:http://www.trustix.org/errata/2004/0058/>


MD5sums of the packages:
- --------------------------------------------------------------------------
a470211caddc2fd447fcfd2c3a009e64  2.2/rpms/gd-2.0.33-3tr.i586.rpm
dbfd11b288d2cedc745eef11b5694caf  2.2/rpms/gd-devel-2.0.33-3tr.i586.rpm
f8382d132037ead78313d0619b2b6c7a  2.2/rpms/gd-utils-2.0.33-3tr.i586.rpm
52c5bcbdd1343ae17a190f4c97044064  2.2/rpms/samba-3.0.7-2tr.i586.rpm
56c45ba7dc304ba6383e28af8894f4f9  2.2/rpms/samba-client-3.0.7-2tr.i586.rpm
cc8b41a2b9186231f5e4561fe2b2771c  2.2/rpms/samba-common-3.0.7-2tr.i586.rpm
8a31afe741dc235de66cd69eaad83c4a  2.2/rpms/samba-mysql-3.0.7-2tr.i586.rpm
106f17d50d8a6840f6256966d05ad5c8  2.2/rpms/sudo-1.6.8p2-1tr.i586.rpm

bf216f045129eb4b38349fb39ca5eb83  2.1/rpms/samba-3.0.7-2tr.i586.rpm
c76fee25117140451d492715a8183417  2.1/rpms/samba-client-3.0.7-2tr.i586.rpm
60bbf8e8e173673440198c1217000c84  2.1/rpms/samba-common-3.0.7-2tr.i586.rpm
0e7e7694e62530ae9d07bd1b9b165cce  2.1/rpms/samba-mysql-3.0.7-2tr.i586.rpm
51091585680beb1ba093a5c223bfb3bc  2.1/rpms/sudo-1.6.8p2-0.2tr.i586.rpm

4b9b2bc6692618d7d0b55a991c274b74  2.0/rpms/sudo-1.6.8p2-0.1tr.i586.rpm
ddbeb2e29e279ffab2d5bb1b4f439d04  1.5/rpms/sudo-1.6.8p2-0.1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBmgzJi8CEzsK9IksRAreXAKCi442/YAm+c9wfhLQmooBuc9Lh0gCeKBC4
TA+rggg0v42NFDY0o+rrlY8=
=omlt
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F34979)

iDEFENSE Security Advisory 2004-11-08.t (PacketStormID:F34979)
2004-11-10 00:00:00
Karol Wiesek,iDefense Labs  idefense.com
advisory,remote
CVE-2004-0930
[点击下载]

iDEFENSE Security Advisory 11.08.04 - Remote exploitation of an input validation error in Samba could allow an attacker to consume system resources and potentially cause the target system to crash.

Samba SMBD Remote Denial of Service Vulnerability

iDEFENSE Security Advisory 11.08.04 
www.idefense.com/application/poi/display?id=156&type=vulnerabilities
November 08, 2004

I. BACKGROUND

Samba is an Open Source/Free Software suite that provides seamless file 
and print services to SMB/CIFS clients.

II. DESCRIPTION

Remote exploitation of an input validation error in Samba could allow an

attacker to consume system resources and potentially cause the target 
system to crash.

The problem specifically exists within the ms_fnmatch() routine which 
upon parsing '*' characters within a pattern will fall into an 
exponentially growing loop. The responsible section of vulnerable code 
appears here: 

case '*': 
    for (; *n; n++) { 
        if (ms_fnmatch(p, n) == 0) return 0;
        }     
        break; 

An authenticated remote attacker can cause a resource exhaustion attack 
by sending multiple malformed commands to an affected server. A request 
as simple as 'dir ***********************************************z' can 
trigger this condition leading to 100% CPU usage.

III. ANALYSIS

Successful exploitation allows authenticated remote attackers to exhaust

CPU resources. This attack takes very little bandwidth and can, in some 
cases, cause the machine to stop responding. Multiple attacks can be 
launched in parallel which can make this attack more effective.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Samba 
versions 3.0.4 and 3.0.7. It is suspected that all versions of Samba up 
to and including 3.0.7 are vulnerable.

V. WORKAROUND

Restricting access to the server by using the "hosts allow" setting in 
smb.conf and/or applying firewall rules may help mitigate this 
vulnerability.

VI. VENDOR RESPONSE

3.0.7 patch:
http://www.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-093
0.patch

3.0.7 patch signature:
http://www.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-093
0.patch.asc

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0930 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/29/2004  iDEFENSE clients notified 
09/29/2004  Initial vendor notification 
09/30/2004  Initial vendor response 
11/08/2004  Coordinated public disclosure

IX. CREDIT

Karol Wiesek is credited with this discovery.

Get paid for vulnerability research 
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of iDEFENSE. If you wish to reprint the whole or any 
part of this alert in any other medium other than electronically, please

email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect,

or consequential loss or damage arising from use of, or reliance on,
this information.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

11555
Samba ms_fnmatch() Function Wildcard Matching Remote DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

Samba server contains a flaw in ms_fnmatch.c that may allow a malicious user to cause a denial of service. The issue is triggered when a request is made for a resource which contains multiple wildcard characters; this causes the server to fall into a loop whose size grows exponentially with the number of wildcard characters used. It is possible that the flaw may allow a remote server crash, resulting in a loss of availability.

- 时间线

2004-11-09 Unknow
2004-11-09 2004-09-13

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Samba has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Samba Remote Wild Card Denial Of Service Vulnerability
Input Validation Error 11624
Yes No
2004-11-08 12:00:00 2006-10-18 11:19:00
Karol Wiesek is credited with the discovery of this issue.

- 受影响的程序版本

Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 10_x86
Sun Solaris 10
SGI samba_irix 3.0.7
SGI samba_irix 3.0.6
SGI samba_irix 3.0.5
SGI samba_irix 3.0.4
SGI samba_irix 3.0.3
SGI samba_irix 3.0.2
SGI samba_irix 3.0.1
SGI samba_irix 3.0
SCO Unixware 7.1.4
Samba Samba 3.0.7
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.1
+ OpenPKG OpenPKG 2.2
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.2
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.5
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
+ Ubuntu Ubuntu Linux 4.1 ia32
Samba Samba 3.0.6
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 10.0
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
Samba Samba 3.0.5
Samba Samba 3.0.4
+ OpenPKG OpenPKG 2.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ Slackware Linux 10.0
Samba Samba 3.0.3
Samba Samba 3.0.2
Samba Samba 3.0.1
Samba Samba 3.0
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3
+ Apple Mac OS X 10.3
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Gentoo Linux
Conectiva Linux 10.0

- 漏洞讨论

A remote denial-of-service vulnerability affects the wildcard filename functionality of Samba. This issue occurs because the application fails to properly validate malformed user-supplied strings.

An attacker may leverage this issue to cause the affected application to hang, effectively denying service to legitimate users.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

The Samba Development Team has released a patch resolving this issue. Please see the referenced advisories for more information.


Sun Solaris 10_x86

Sun Solaris 10

Samba Samba 3.0.3

Samba Samba 3.0.4

Samba Samba 3.0.6

SGI samba_irix 3.0.7

Samba Samba 3.0.7

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站