Samba vulnerabilities fixed
The developers of the open-source Samba server have released version 3.0.27 to resolve vulnerabilities which allowed attackers from the local network to slip the server specially crafted code. Both holes were in the nmbd component of the server.
One of the vulnerabilities can be exploited if WINS support is activated via the wins support parameter in smb.conf. According to Secunia, attackers can exploit a boundary error within the reply_netbios_packet() function to cause a buffer overflow by sending multiple specially crafted name registration requests followed by name query requests. The buffer overflow can then be exploited to execute injected code.
Another buffer overflow can be triggered via specially crafted GETDC logon server requests when Samba is set up as a domain controller. The Samba developers have not released any details about this vulnerability but consider it unexploitable for attackers.
Samba versions 3.0.0 to 3.0.26a are affected. Administrators should update their Samba installations as soon as possible. Linux distributors are expected to release new Samba packages that don't contain the vulnerabilities in the near future.
- GETDC mailslot processing buffer overrun in nmbd, security advisory by Samba developers
- Remote Code Execution in Samba's nmbd, error report by Samba developers
- Samba "reply_netbios_packet()" Buffer Overflow Vulnerability, Secunia advisory
(mba)