[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability in Samba 2.2.10 and older

Subject: Re: Vulnerability in Samba 2.2.10 and older
From: Takahiro Kambe <taca@back-street.net>
To: tron@NetBSD.org
Date: Wed, 01 Sep 2004 17:02:04 +0900 (JST)
Message-Id: <20040901.170204.74739690.taca@back-street.net>
In-Reply-To: <20040901.000941.123923894.taca@back-street.net>
References: <20040831.204459.32627944.taca@back-street.net><20040831122941.GA8768@colwyn.zhadum.de><20040901.000941.123923894.taca@back-street.net>
Cc: tech-pkg-ja@jp.NetBSD.org, kim@NetBSD.org
Delivered-To: mailing list tech-pkg-ja@jp.netbsd.org
Mailing-List: contact tech-pkg-ja-help@jp.netbsd.org; run by ezmlm-idx

Just FYI.

In message <20040901.000941.123923894.taca@back-street.net>
	on Wed, 01 Sep 2004 00:09:41 +0900 (JST),
	Takahiro Kambe <taca@back-street.net> wrote:
> > We might even be able to remove that entry if we know for sure that
> > this bug doesn't crash the main Samba server process.
> I don't know in detail and I don't want to read (or understand)
> Samba's codes.  ;-p
This problem is caused by authenticated user only.


-- 
Takahiro Kambe <taca@back-street.net>


Message-ID: <20040831203328.1535.qmail@www.securityfocus.com>
Subject: Samba FindNextPrintChangeNotify() Error Lets Remote Authenticated Users Crash smbd
Date: 31 Aug 2004 20:33:28 -0000
From: "J�r�me" ATHIAS <jerome.athias@caramail.com>
To: bugtraq@securityfocus.com
Precedence: bulk
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
X-Original-To: taca@back-street.net
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
X-Mew: From: has raw text strings.
       tab/spc characters on Subject: are simplified.



Date:  Mon, 30 Aug 2004 23:42:49 -0400
Subject:  http://samba.org/samba/history/samba-2.2.11.html
 
The Samba 2.2.11 release addresses the following bug:
 
  o Crashes in smbd triggered by a Windows XP SP2 client sending
    a FindNextPrintChangeNotify() request without previously
    issuing FindFirstPrintChangeNotify().


Impact:  Denial of service via network
 
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes   
 
Version(s): prior to 3.0.6, prior to 2.2.11 
 
Description:  A vulnerability was reported in Samba. A remote authenticated user can cause smbd to crash. 

The vendor reported that a remote authenticated user can send a FindNextPrintChangeNotify() request without having previously sent a corresponding FindFirstPrintChangeNotify() requeste to cause smbd to crash.

This behavior can be triggered by a Windows XP SP2 client.

The flaw resides in printer_notify_info() in 'rpc_server/srv_spoolss_nt.c'.

Craig Huegen reported this flaw to the vendor. 
 
Impact:  A remote authenticated user can cause smbd to crash.
 
Solution:  The vendor has released a fixed version (3.0.6 and 2.2.11), available at:

http://samba.org/samba/download/

Follow-Ups:
- Re: Vulnerability in Samba 2.2.10 and older
  - From: Matthias Scheler <tron@NetBSD.org>

References:
- Re: Vulnerability in Samba 2.2.10 and older
  - From: Takahiro Kambe <taca@back-street.net>

Prev by Date: Re: Vulnerability in Samba 2.2.10 and older
Next by Date: Re: Vulnerability in Samba 2.2.10 and older
Prev by thread: Re: Vulnerability in Samba 2.2.10 and older
Next by thread: Re: Vulnerability in Samba 2.2.10 and older
Index(es):
- Date
- Thread