Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-171: Samba Format String And Security Bypass Vulnerabilities

[CVE-2009-1888]

June 26, 2009 13:00 GMT
PROBLEM: Format string vulnerability in smbclient.
PLATFORM: Samba versions 3.0.31 through 3.3.5
ABSTRACT: The smbclient utility in Samba 3.2.0 - 3.2.12 contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-171.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35472
VUPEN Security
http://www.vupen.com/english/advisories/2009/1664
Samba
http://us1.samba.org/samba/history/samba-3.3.6.html

  CVE: CVE-2009-1888
IMPACT ASSESSMENT: The risk is medium. An attack is unlikely because the malicious filename has to be entered by the user. 
[***** Start CVE-2009-1888 *****]
Discussion:
Two vulnerabilities have been identified in Samba, which could be exploited by attackers or malicious users to bypass security restrictions or compromise a vulnerable system.

The first issue is caused by a format string error in the smbclient utility when processing filenames supplied with a command (e.g. "put"), which could allow attackers to crash an affected client or execute arbitrary code by tricking a user or automated system into executing a command with a malicious filename argument.

The second vulnerability is caused by an uninitialized memory read when denying permissions while trying to modify an access control list (ACL), which could allow malicious users to modify the ACLs or writable files.

The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.

An example is:

smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)

As is obvious, "aa%3Fbb" is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.

The attack from our point of view is rather unlikely because
the malicious filename has to be entered by the user. If smbclient
is used within scripts, an attack becomes possible.

Solution:
Upgrade to Samba version 3.0.35, 3.2.13, or 3.3.6 :
http://us1.samba.org/samba/download/

Or apply patch for Samba 3.3.5 :
http://us1.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1888.patch

Or apply patch for Samba 3.2.12 :
http://us1.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1886.patch
http://us1.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1888.patch

Or apply patch for Samba 3.0.34 :
http://us1.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-1888.patch

[***** End CVE-2009-1888 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788