Samba vulnerable to malicious code injection
Security service provider Secunia has reported the discovery of a vulnerability in the Samba open source file and print server. A buffer overflow allows attackers to inject arbitrary code. To accomplish the code injection, users of Samba must be convinced to follow a link on a web page or in an email – such as an
smb:// link – that points to a crafted Samba server. Manipulated packets sent to the server can also provoke the buffer overflow.
The flaw is in the client code, but according to the Samba advisory, as the
smbd server process also acts as a client for some transactions, both client and server installations are affected. Due to inadequate buffer size allocation by the
receive_smb_raw() function in file
lib/util_sock.c, large SMB packets can provoke a heap-based buffer overflow. Arbitrary injected code can thereby be executed. The vulnerability can be exploited if the
nmbd server is configured as a local or domain master browser receives crafted packets.
The flaw affects Samba 3.0.28a and 3.0.29. Secunia also assumes that previous versions are vulnerable. According to the security advisory, a patch will soon be released, as will the patched version 3.0.30. Linux distributors can also be expected to begin distributing new packages soon. Administrators of Samba installations should install these updates as soon as possible.
- Samba "receive_smb_raw()" Buffer Overflow Vulnerability, Secunia's security advisory
- Download the current version of Samba