SMB: Samba NDR Parsing ndr_pull_dnsp_name Integer Overflow
An integer overflow vulnerability exists in Samba. The vulnerability is due to incorrectly parsing crafted NDR data in the ndr_pull_dnsp_name() function, resulting in an integer overflow that leads to a heap buffer overflow. A remote, authenticated attacker could exploit this vulnerability by sending malicious packets to a vulnerable Samba service configured as an Active Directory Domain Controller. A successful attack could result in arbitrary code execution with the root privileges while an unsuccessful attack will cause the service to terminate or stop responding.
Extended Description
A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.
Affected Products
Samba samba
Short Name
SMB:SAMBA-INTEGER-OVERFLOW
Severity
Major
Recommended
True
Recommended Action
Drop
Category
SMB
Keywords
CVE-2016-2123 Integer NDR Overflow Parsing Samba ndr_pull_dnsp_name
Release Date
02/21/2017
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3337
False Positive
Unknown
Vendors
Samba
CVSS Score
6.5