what you don't know can hurt you

Samba nttrans Replay Integer Overflow

Samba nttrans Replay Integer Overflow
Posted Aug 21, 2013
Authored by x90c

This is a brief paper detailing the Samba nttrans reply integer overflow vulnerability.

tags | paper, overflow
advisories | CVE-2013-4124
MD5 | 2dd13b92c134e4d1285d33a405573e06
Download | Favorite | Comments (0)

Samba nttrans Replay Integer Overflow

Change Mirror Download

Exploitation: samba nttrans reply integer overflow

                                    ___    ___        
                                   / _ \  / _ \     
                            __  __| (_) || | | |  ___ 
                            \ \/ / \__. || | | | / __| 
                             >  <    / / | |_| || (__ 
                            /_/\_\  /_/   \___/  \___|


CVE-2013-4124 samba integer overflow in nttrans 
reply reading ea_list

vulnerable samba daemon has a integer overflow 
to cause remote dos by nttrans reply while the 
daemon reading ea_list. In the detail, unsigned
data type offset variable in vulnerable function 
of read_nttrans_ea_list can be wrap up! security
bug! 


x90c

[vulnerable versions]
    - samba 3.5.22 <=
    - samba 3.6.17 <=
    - samba 4.0.8 <=

[call graph]
+reply_nttrans  // reply nttrans
    +->handle_nttrans
        +-> call_nt_transact_create  // transact!
            -> read_nttrns_ea_list(vulnerable function)

[security bug analyze]
smbd/nttrans.c
---- snip ---- snip ---- snip ---- snip ----
971 /****************************************************************************
 972  Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
 973 ****************************************************************************/
 974 EA names, data from samba incoming buffer!
 975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)  // *pdata is inject vector
 976 {
 977         struct ea_list *ea_list_head = NULL;
 978         size_t offset = 0;  // unisigned
 979 
 980         if (data_size < 4) {
 981                 return NULL;
 982         }
 983 
 984         while (offset + 4 <= data_size) {  // XXX (3) if offset is wrap up then it enters the loop continuly
 985                 size_t next_offset = IVAL(pdata,offset);  // unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap!
// XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos! 
 986                 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
 987 
 988                 if (!eal) {
 989                         return NULL;
 990                 }
 991 
 992                 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
 993                 if (next_offset == 0) {
 994                         break;
 995                 }
 996 
 997                 /* Integer wrap protection for the increment. */    // XXX patch code
 998                 if (offset + next_offset < offset) {
 999                         break;
1000                 }
1001 
1002                 offset += next_offset;  // XXX (2) if next_offset is large value then offset is wrap!
1003 
1004                 /* Integer wrap protection for while loop. */  // XXX patch code
1005                 if (offset + 4 < offset) {
1006                         break;
1007                 }
1008 
1009         }
1010 
1011         return ea_list_head;
1012 }
---- snip ---- snip ---- snip ---- snip ----

---- snip ---- snip ---- snip ---- snip ----
1014 /****************************************************************************
1015  Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1016 ****************************************************************************/
1017 
1018 static void call_nt_transact_create(connection_struct *conn,
1019                                     struct smb_request *req,
1020                                     uint16 **ppsetup, uint32 setup_count,
1021                                     char **ppparams, uint32 parameter_count,
1022                                     char **ppdata, uint32 data_count,
1023                                     uint32 max_data_count)
1024 {
...
1148                 /* We have already checked that ea_len <= data_count here. */
1149                 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1150                                                ea_len);
---- snip ---- snip ---- snip ---- snip ----

---- snip ---- snip ---- snip ---- snip ----
2639 static void handle_nttrans(connection_struct *conn,
2640                            struct trans_state *state,
2641                            struct smb_request *req)
2642 {
...
2651         /* Now we must call the relevant NT_TRANS function */
2652         switch(state->call) {
2653                 case NT_TRANSACT_CREATE:  // NT_TRANSACT_CREATE!
2654                 {
2655                         START_PROFILE(NT_transact_create);
2656                         call_nt_transact_create(
2657                                 conn, req,
2658                                 &state->setup, state->setup_count,
2659                                 &state->param, state->total_param,
2660                                 &state->data, state->total_data,
2661                                 state->max_data_return);
2662                         END_PROFILE(NT_transact_create);
2663                         break;
2664                 }
---- snip ---- snip ---- snip ---- snip ----

---- snip ---- snip ---- snip ---- snip ----
2770 /****************************************************************************
2771  Reply to a SMBNTtrans.
2772 ****************************************************************************/
2773 
2774 void reply_nttrans(struct smb_request *req)  // smb_request!
2775 {
...
2945         if ((state->received_data == state->total_data) &&
2946             (state->received_param == state->total_param)) {
2947                 handle_nttrans(conn, state, req);
---- snip ---- snip ---- snip ---- snip ----

[exploitability]

    * keywords:
    - samba incoming data
    - EA names
    - data
    - 0xf1000000
    - SMB NTTRANS
    - Samba reply_nttrans() Remote Root Exploit
      (http://www.securiteam.com/exploits/5TP0M2AAKS.html)
    - SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)
    - SMBtrans
    - http://ubiqx.org/cifs/SMB.html



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2015

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    2 Files
  • 2
    Feb 2nd
    17 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    16 Files
  • 5
    Feb 5th
    14 Files
  • 6
    Feb 6th
    4 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2015 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
Global Mirror List
close