Vulnerability closed in Samba file and printer server

The developers of Samba have released a new version of their open source file and printer server to close a vulnerability. According to the security advisory, specially crafted packets sent to the server can be used to inject code via the LAN and execute it with the server's rights. The flaw is caused by a buffer overflow in the nmb service's function send_mailslot. A SAMLOGON domain logon packet can then be used to provoke an overflow if the username is at a critical position followed by a very long GETDC request.

Advertisement

The attack only works if the option domain logons = yes is set, which is generally only the case if Samba is working as a domain controller. The flaw affects all versions of Samba from 3.0.0 up to and including 3.0.27a. The hole has been closed in version 3.0.28. Users can also set the option to domain logons = no. As recently as mid-November, version 3.0.27a remedied a security hole related to domain logins.

See also:

• Remote Code Execution in Samba's nmbd (send_mailslot()), Samba.org security advisory
• Samba "send_mailslot()" Buffer Overflow Vulnerability, Secunia security advisory

(mba)