January 19, 2017

Samaba Updated to Close Nine-Year-Old Security Hole

(LiveHacking.Com) – A new version of Samaba has been released to fix a nine year old security vulnerability that allows remote code execution as the “root” user from an anonymous connection. All versions of Samaba from Samba 3.0.x to 3.6.3 are affected. Samba 3.0.x was released in 2003 meaning that the vulnerability has been in the code base for almost a decade!

According to the security advisory the “code generator for Samba’s remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network.” The problem revolves around memory allocation length checks which can be controlled by the connecting client. This means that a specially crafted RPC call can be used to cause the server to execute arbitrary code.

This is the most serious type vulnerability possible as it does not require an authenticated connection. Users and vendors are encouraged to patch their Samba installations immediately.

Affected Operating Systems

Samba is the open source implementation of the SMB/CIFS networking protocol used predominantly by Windows. It enables file and print sharing between Windows, Mac OS X, Linux and FreeBSD machines and often comes pre-installed on popular Linux distributions and is included in OS X from Apple.

Samba is also included on certain embedded devices like network storage and media sharing devices. Due to their embeedded nature it is likely that a new firmware release will be needed from the manufacturers, which in many cases won’t happen. If you use such a device you need to only use it on a trusted network.

The open source network attached storage solution FreeNAS has been updated to include the fixes. FreeNAS-8.0.4-RELEASE-p1 contains Samba 3.6.4 and can be downloaded from https://sourceforge.net/projects/freenas/files/FreeNAS-8.0.4/

Patch Availability

Patches are now available at http://www.samba.org/samba/security. Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been released to correct the defect and due to the seriousness of this vulnerability, patches have been released for all Samba versions currently out of support and maintenance from 3.0.37 onwards.

Windows File Sharing Vulnerability Found – Triggers Blue Screen of Death

An anonymous researcher has found and revealed a vulnerability in the SMB (Server Message Block) which affects the Windows file sharing (AKA CIFS / Common Internet File System) browser service.

The researcher also provided Proof-of-Concept (PoC) exploit code showing exactly how to exploit the vulnerability and how to force a blue screen of death.

Since this vulnerability was publicly disclosed and included PoC it means hackers and in a position to use it today to at least trigger a blue screen of death on target machines and in doing so mount a denial of service attack. Microsoft have responded with Vuln:Win/SMB.Browser.DoS!NIS-2011-0003 as a first response measure.

The vulnerability exists because the Microsoft Server Message Block (SMB) client implementation incorrectly handles malformed SMB messages. A function in the error-reporting module pushes the calling arguments into a pre-allocated fixed size buffer. And due to a bug in the length handling, this buffer can overflow.

This then results in a blue screen of death. Microsoft reckon that based on the nature of the bug remote code execution is theoretically possible, but not likely in practice.

Microsoft have also released notes on exploitability of the recent Windows BROWSER protocol issue with more technical information.