Title: Samba 'call_trans2open' Remote Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. The Samba daemon is typically run with super user privileges.

A buffer overflow vulnerability has been reported for Samba that could allow an anonymous remote attacker to execute arbitrary code.

The vulnerability occurs in the 'call_trans2open()' function when copying data into a 1024 byte static buffer. Sufficient bounds checking is not performed when a call to the 'Strncpy()' function is invoked. The length argument supplied to 'Strncpy()' is exactly the length of the user-supplied data. As a result, an attacker could exploit this vulnerability by sending data in excess of 1024 bytes.

Successful exploitation of this vulnerability could allow an anonymous attacker to overwrite sensitive stack variables, including the 'open_trans2open()' functions' saved return address. The ability to influence sensitive memory could be leveraged by the attacker to execute arbitrary code with the privileges of the Samba server process.

Affected Products:

Apple Mac OS X 10.2.0
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.4
Caldera OpenLinux 2.3.0
Caldera OpenLinux Server 3.1.0
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1.0
Caldera OpenLinux Workstation 3.1.1
Compaq Tru64 4.0.0 B
Compaq Tru64 4.0.0 D
Compaq Tru64 4.0.0 d PK9 (BL17)
Compaq Tru64 4.0.0 f
Compaq Tru64 4.0.0 f PK6 (BL17)
Compaq Tru64 4.0.0 f PK7 (BL18)
Compaq Tru64 4.0.0 g
Compaq Tru64 4.0.0 g PK3 (BL17)
Compaq Tru64 5.0.0
Compaq Tru64 5.0.0 PK4 (BL17)
Compaq Tru64 5.0.0 PK4 (BL18)
Compaq Tru64 5.0.0 a
Compaq Tru64 5.0.0 a PK3 (BL17)
Compaq Tru64 5.0.0 f
Compaq Tru64 5.1.0
Compaq Tru64 5.1.0 B
Compaq Tru64 5.1.0 PK3 (BL17)
Compaq Tru64 5.1.0 PK4 (BL18)
Compaq Tru64 5.1.0 PK5 (BL19)
Compaq Tru64 5.1.0 PK6 (BL20)
Compaq Tru64 5.1.0 a
Compaq Tru64 5.1.0 a PK1 (BL1)
Compaq Tru64 5.1.0 a PK2 (BL2)
Compaq Tru64 5.1.0 a PK3 (BL3)
Compaq Tru64 5.1.0 b PK1 (BL1)
Conectiva Linux 4.0.0
Conectiva Linux 4.0.0 es
Conectiva Linux 4.1.0
Conectiva Linux 4.2.0
Conectiva Linux 5.0.0
Conectiva Linux 5.1.0
Conectiva Linux 6.0.0
Conectiva Linux 7.0.0
Conectiva Linux 8.0.0
Conectiva Linux ecommerce
Conectiva Linux graficas
Debian Linux 2.1.0
Debian Linux 2.2.0
Debian Linux 2.2.0 68k
Debian Linux 2.2.0 alpha
Debian Linux 2.2.0 arm
Debian Linux 2.2.0 powerpc
Debian Linux 2.2.0 sparc
Debian Linux 2.3.0
Debian Linux 2.3.0 alpha
Debian Linux 2.3.0 powerpc
Debian Linux 2.3.0 sparc
Debian Linux 3.0.0
Debian Linux 3.0.0 alpha
Debian Linux 3.0.0 arm
Debian Linux 3.0.0 hppa
Debian Linux 3.0.0 ia-32
Debian Linux 3.0.0 ia-64
Debian Linux 3.0.0 m68k
Debian Linux 3.0.0 mips
Debian Linux 3.0.0 mipsel
Debian Linux 3.0.0 ppc
Debian Linux 3.0.0 s/390
Debian Linux 3.0.0 sparc
FreeBSD FreeBSD 4.6.0
FreeBSD FreeBSD 4.7.0
FreeBSD FreeBSD 4.8.0
FreeBSD FreeBSD 5.0.0
Gentoo Linux 1.4.0 _rc3
HP CIFS/9000 Server A.01.05
HP CIFS/9000 Server A.01.06
HP CIFS/9000 Server A.01.07
HP CIFS/9000 Server A.01.08
HP CIFS/9000 Server A.01.08.01
HP CIFS/9000 Server A.01.09
HP CIFS/9000 Server A.01.09.01
HP CIFS/9000 Server A.01.09.02
HP HP-UX 10.0.0 1
HP HP-UX 10.20.0
HP HP-UX 10.24.0
HP HP-UX 11.0.0
HP HP-UX 11.0.0 4
HP HP-UX 11.11.0
HP HP-UX 11.20.0
HP HP-UX 11.22.0
MandrakeSoft Corporate Server 2.1.0
MandrakeSoft Corporate Server 2.1.0 x86_64
MandrakeSoft Linux Mandrake 7.0.0
MandrakeSoft Linux Mandrake 7.1.0
MandrakeSoft Linux Mandrake 8.0.0
MandrakeSoft Linux Mandrake 8.0.0 ppc
MandrakeSoft Linux Mandrake 8.1.0
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Linux Mandrake 8.2.0
MandrakeSoft Linux Mandrake 8.2.0 ppc
MandrakeSoft Linux Mandrake 9.0.0
MandrakeSoft Linux Mandrake 9.1.0
MandrakeSoft Linux Mandrake 9.1.0 ppc
MandrakeSoft Linux Mandrake 9.2.0
MandrakeSoft Linux Mandrake 9.2.0 amd64
MandrakeSoft Multi Network Firewall 2.0.0
OpenPKG OpenPKG 1.0.0
OpenPKG OpenPKG 1.1.0
OpenPKG OpenPKG 1.2.0
Progeny Debian 1.0.0
RedHat Linux 4.2.0
RedHat Linux 5.2.0 i386
RedHat Linux 6.0.0
RedHat Linux 6.1.0 alpha
RedHat Linux 6.1.0 i386
RedHat Linux 6.1.0 sparc
RedHat Linux 6.2.0
RedHat Linux 6.2.0 E alpha
RedHat Linux 6.2.0 E i386
RedHat Linux 6.2.0 E sparc
RedHat Linux 6.2.0 alpha
RedHat Linux 6.2.0 i386
RedHat Linux 6.2.0 sparc
RedHat Linux 6.2.0 sparcv9
RedHat Linux 7.0.0
RedHat Linux 7.0.0 i386
RedHat Linux 7.0.0 i686
RedHat Linux 7.1.0
RedHat Linux 7.1.0 i386
RedHat Linux 7.1.0 i586
RedHat Linux 7.1.0 i686
RedHat Linux 7.2.0
RedHat Linux 7.2.0 athlon
RedHat Linux 7.2.0 i386
RedHat Linux 7.2.0 i586
RedHat Linux 7.2.0 i686
RedHat Linux 7.2.0 ia64
RedHat Linux 7.3.0
RedHat Linux 7.3.0 i386
RedHat Linux 7.3.0 i686
RedHat Linux 8.0.0
RedHat Linux 8.0.0 i386
RedHat Linux 8.0.0 i686
RedHat Linux 9.0.0 i386
S.u.S.E. Linux 7.1.0
S.u.S.E. Linux 7.1.0 alpha
S.u.S.E. Linux 7.1.0 ppc
S.u.S.E. Linux 7.1.0 sparc
S.u.S.E. Linux 7.1.0 x86
S.u.S.E. Linux 7.2.0
S.u.S.E. Linux 7.2.0 i386
S.u.S.E. Linux 7.3.0
S.u.S.E. Linux 7.3.0 i386
S.u.S.E. Linux 7.3.0 ppc
S.u.S.E. Linux 7.3.0 sparc
S.u.S.E. Linux 8.0.0
S.u.S.E. Linux 8.0.0 i386
S.u.S.E. Linux 8.1.0
S.u.S.E. Linux Personal 8.2.0
SCO eDesktop 2.4.0
SCO eServer 2.3.1
Samba Samba 2.0.0 .0
Samba Samba 2.0.1
Samba Samba 2.0.10
Samba Samba 2.0.2
Samba Samba 2.0.3
Samba Samba 2.0.4
Samba Samba 2.0.5
Samba Samba 2.0.6
Samba Samba 2.0.7
Samba Samba 2.0.8
Samba Samba 2.0.9
Samba Samba 2.2.0 .0
Samba Samba 2.2.0 .0a
Samba Samba 2.2.1 a
Samba Samba 2.2.2
Samba Samba 2.2.3 a
Samba Samba 2.2.3 a
Samba Samba 2.2.4
Samba Samba 2.2.5
Samba Samba 2.2.6
Samba Samba 2.2.7
Samba Samba 2.2.7 a
Samba Samba 2.2.8
Samba-TNG Samba-TNG 0.3.0
Samba-TNG Samba-TNG 0.3.1
Slackware Linux 8.0.0
Slackware Linux 8.1.0
Sun Cobalt Qube3 4000WG
Sun Cobalt RaQ 550 4100R
Sun Cobalt RaQ XTR 3500R
Sun Cobalt RaQ4 3001R
Sun LX50
Sun Linux 5.0.0
Sun Linux 5.0.6
Sun Solaris 2.5.1
Sun Solaris 2.5.1_ppc
Sun Solaris 2.5.1_x86
Sun Solaris 2.6
Sun Solaris 2.6_x86
Sun Solaris 7.0
Sun Solaris 7.0_x86
Sun Solaris 8
Sun Solaris 8_x86
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 9_x86 Update 2
Trustix Secure Linux 1.1.0
Trustix Secure Linux 1.2.0
Trustix Secure Linux 1.5.0
Turbolinux Appliance Server Hosting Edition 1.0.0
Turbolinux Appliance Server Workgroup Edition 1.0.0
Turbolinux Home
Turbolinux Turbolinux Desktop 10.0.0
Turbolinux Turbolinux Server 7.0.0
Turbolinux Turbolinux Server 8.0.0
Turbolinux Turbolinux Workstation 7.0.0
Turbolinux Turbolinux Workstation 8.0.0
Veritas Software ServPoint NAS 1.1.0
Veritas Software ServPoint NAS 1.2.0
Veritas Software ServPoint NAS 1.2.1
Veritas Software ServPoint NAS 1.2.2
Veritas Software ServPoint NAS 3.5.0
WireX Immunix OS 6.2.0
WireX Immunix OS 7+
WireX Immunix OS 7.0.0
WireX Immunix OS 7.0.0 -Beta

References:

Apple: Apple Security Updates
CORE Security: SAMBA trans2 exploit
Digital Defense: Buffer Overflow in Samba allows remote root compromise
Metasploit: Metasploit Framework Exploits
Samba: Samba Homepage
Samba-TNG: Samba-TNG Homepage
Sun: Sun Alert ID: 53581
Sun: Sun Linux Support - Sun Linux Patches
Sun Microsystems: Sun Alert ID: 53924
Veritas Software: TechNote ID: 256903

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.

J-Security Center

Title: Samba 'call_trans2open' Remote Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Affected Products:

References: