Samba <3.6.4 (CVE-2012-1182) remote execution of arbitrary code with root-rights
Samba version 3.6.3 and all previous versions were exposed to remote execution of arbitrary code with root rights. An anonymous unauthenticated user can make this attack, it is enough to have access to the Samba network port.
All Samba versions from 3.0.x through 3.6.3 inclusive are subject to the problem. All Samba users are encouraged to upgrade to the submitted corrective releases as a matter of urgency. Patches have been prepared for already unsupported Samba branches.
Vulnerability was identified by participants of the Zero Day Initiative, and the problem was initially reported as early as March 15th. It is likely that there is a 0-day exploit in the wild.
')
The problem is caused by an error in the code generator for the RPC mechanism (Remote Procedure Call), which leads to the formation of an unsafe code that participates in making RPC calls transmitted over the network. As a result of the error, the check of the variable through which the size of the array is transmitted and the check of the variable with the memory requested for this array are performed independently of each other. The values of both variables are set on the client side and are fully controlled by them. Thus, it is possible to transfer an array of a deliberately larger size than the buffer allocated for it can accommodate, which will lead to the imposition of the “tail” of the array on other data structures.
https://www.samba.org/samba/security/CVE-2012-1182
All Samba versions from 3.0.x through 3.6.3 inclusive are subject to the problem. All Samba users are encouraged to upgrade to the submitted corrective releases as a matter of urgency. Patches have been prepared for already unsupported Samba branches.
Vulnerability was identified by participants of the Zero Day Initiative, and the problem was initially reported as early as March 15th. It is likely that there is a 0-day exploit in the wild.
')
The problem is caused by an error in the code generator for the RPC mechanism (Remote Procedure Call), which leads to the formation of an unsafe code that participates in making RPC calls transmitted over the network. As a result of the error, the check of the variable through which the size of the array is transmitted and the check of the variable with the memory requested for this array are performed independently of each other. The values of both variables are set on the client side and are fully controlled by them. Thus, it is possible to transfer an array of a deliberately larger size than the buffer allocated for it can accommodate, which will lead to the imposition of the “tail” of the array on other data structures.
https://www.samba.org/samba/security/CVE-2012-1182
Source: https://habr.com/ru/post/141829/
All Articles