Skip to content

Latest commit

 

History

History
 
 

CVE-2007-6015

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
poc.c
poc.c
 
 

README.md

CVE-2007-6015

Experiment Environment

Ubuntu 9.04

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-6015/samba-3.0.27a.tar.gz
tar -xvf samba-3.0.27a.tar.gz

cd samba-3.0.27a/
./configure
make
sudo make install

Problems in Installation & Configuration

How to trigger vulnerability

Server:

/usr/local/samba/bin/smbd -i

Client:

gcc -o poc poc.c
./poc <uppercase victim's netbios name> 127.0.0.1

PoCs

Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow

Samba Send_MailSlot Stack-Based Buffer Overflow Vulnerability

Vulnerability Details & Patch

Root Cause

The buffer overflow is triggered by the call to "set_message()" in nmbd/nmbd_packets.c at line 1895. The "set_message()" function will call a "memset()" to zero on "dgram->data" + 35 with a length bigger than the available 576-35 bytes for an overly long total length for the SAMLOGON GETDC, username, workgroup, and local hostname.

The vulnerability would at first glance be only triggerable in certain unusual configurations with an overly long local workgroup or hostname due to the limitations in size of the NetBIOS Datagram packet (576 bytes). However if an empty (two zero bytes) Unicode username is placed at an odd offset within the SAMLOGON request, the "pull_ucs2_pstring()" function called at line 365 in nmbd/nmbd_processlogon.c will convert the whole GETDC string following the username into ascuser, allowing the buffer overflow to take place in standard configurations.

Stack Trace

Patch

diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c
index 83ea81d..548ace6 100644
--- a/source/libsmb/clidgram.c
+++ b/source/libsmb/clidgram.c
@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+		return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);
 
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index bbcc1ec..1460f7d 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+		return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);

References

https://bugs.gentoo.org/200773