Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the "mangling method = hash" option is enabled in smb.conf, has unknown impact and attack vectors.

According to its banner, the version of Samba is 2.2.x earlier than 2.2.10, or 3.0.x earlier than 3.0.5, and is therefore affected by a flaw related to setting the option 'mangling method' to 'hash' in 'smb.conf' (which is not the default setting), and may allow an attacker to cause a buffer overflow.  No further details have been provided.

Evgeny Demidov discovered that the Samba server has a buffer overflow in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are affected.

Another buffer overflow bug has been found in the code used to support the 'mangling method = hash' smb.conf option. The default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.

New samba packages are available for Slackware 8.1, 9.0, 9.1, 10.0 and -current to fix security issues.

The remote host is affected by the vulnerability described in GLSA-200407-21 (Samba: Multiple buffer overflows)

    Evgeny Demidov found a buffer overflow in SWAT, located in the base64 data     decoder used to handle HTTP basic authentication (CAN-2004-0600). The same     flaw is present in the code used to handle the sambaMungedDial attribute     value, when using the ldapsam passdb backend. Another buffer overflow was     found in the code used to support the 'mangling method = hash' smb.conf     option (CAN-2004-0686). Note that the default Samba value for this option     is 'mangling method = hash2' which is not vulnerable.
  Impact :

    The SWAT authentication overflow could be exploited to execute arbitrary     code with the rights of the Samba daemon process. The overflow in the     sambaMungedDial handling code is not thought to be exploitable. The buffer     overflow in 'mangling method = hash' code could also be used to execute     arbitrary code on vulnerable configurations.
  Workaround :

    Users disabling SWAT, not using ldapsam passdb backends and not using the     'mangling method = hash' option are not vulnerable.

A vulnerability was discovered in SWAT, the Samba Web Administration Tool. The routine used to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. This same code is also used to internally decode the sambaMungedDial attribute value when using the ldapsam passdb backend, and to decode input given to the ntlm_auth tool.

This vulnerability only exists in Samba versions 3.0.2 or later; the 3.0.5 release fixes the vulnerability. Systems using SWAT, the ldapsam passdb backend, and tose running winbindd and allowing third- party applications to issue authentication requests via ntlm_auth tool should upgrade immediately. (CVE-2004-0600)

A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. This bug is present in Samba 3.0.0 and later, as well as Samba 2.2.X (CVE-2004-0686)

This update also fixes a bug where attempting to print in some cases would cause smbd to exit with a signal 11.

Updated samba packages that fix a buffer overflow issue are now available.

Samba provides file and printer sharing services to SMB/CIFS clients.

The Samba team discovered a buffer overflow in the code used to support the 'mangling method = hash' smb.conf option. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0686 to this issue.

All users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-2.2.10, which is not vulnerable to this issue.

The remote host is missing the patch for the advisory SUSE-SA:2004:022 (samba).


The Samba Web Administration Tool (SWAT) was found vulnerable to a buffer overflow in its base64 code. This buffer overflow can possibly be exploited remotely before any authentication took place to execute arbitrary code.
The same piece of vulnerable code was also used in ldapsam passdb and in the ntlm_auth tool.
This vulnerability only exists on Samba 3.0.2 to 3.0.4.

Another buffer overflow was found in Samba 3.0.0 and later, as well as in Samba 2.2.x. This overflow exists in the hash code of the mangling method (smb.conf: mangling method = hash), the default uses hash2 which is not vulnerable.

There is no temporary workaround known. The first proof-of-concept exploits were seen on public mailing lists.

After the installation was successfully completed please restart the samba daemon.
/usr/sbin/rcsmb restart

SWAT is called by inetd/xinetd. Therefore it is sufficient to kill all running instances of SWAT only.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

Updated samba packages that fix buffer overflows, as well as other various bugs, are now available.

Samba provides file and printer sharing services to SMB/CIFS clients.

Evgeny Demidov discovered a flaw in the internal routine used by the Samba Web Administration Tool (SWAT) in Samba versions 3.0.2 through 3.0.4. When decoding base-64 data during HTTP basic authentication, an invalid base-64 character could cause a buffer overflow. If the SWAT administration service is enabled, this flaw could allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0600 to this issue.

Additionally, the Samba team discovered a buffer overflow in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0686 to this issue.

This release includes the updated upstream version 3.0.4 together with backported security patches to correct these issues as well as a number of post-3.0.4 bug fixes from the Samba subversion repository.

The most important bug fix allows Samba users to change their passwords if Microsoft patch KB 828741 (a critical update) had been applied.

All users of Samba should upgrade to these updated packages, which resolve these issues.

The remote Samba server, according to its version number, is vulnerable to a buffer overflow if the option 'mangling method' is set to 'hash' in smb.conf (which is not the case by default).

An attacker may exploit this flaw to execute arbitrary commands on the remote host.

ID	Name	Product	Family	Severity
9339	Samba 2.2.x < 2.2.10 / 3.0.x < 3.0.5 Buffer Overflow	Nessus Network Monitor	Samba	medium
37185	FreeBSD : Multiple Potential Buffer Overruns in Samba (2de14f7a-dad9-11d8-b59a-00061bc2ad93)	Nessus	FreeBSD Local Security Checks	critical
18774	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : new samba packages (SSA:2004-207-01)	Nessus	Slackware Local Security Checks	critical
14554	GLSA-200407-21 : Samba: Multiple buffer overflows	Nessus	Gentoo Local Security Checks	critical
14170	Mandrake Linux Security Advisory : samba (MDKSA-2004:071)	Nessus	Mandriva Local Security Checks	critical
13846	RHEL 2.1 : samba (RHSA-2004:404)	Nessus	Red Hat Local Security Checks	medium
13838	SUSE-SA:2004:022: samba	Nessus	SuSE Local Security Checks	critical
13658	RHEL 3 : samba (RHSA-2004:259)	Nessus	Red Hat Local Security Checks	critical
13657	Samba Mangling Method Hash Overflow	Nessus	Gain a shell remotely	medium

Detections

Analytics

CVE-2004-0686

critical

Tenable Plugins

medium

critical

critical

critical

critical

medium

critical

critical

medium