From owner-freebsd-bugs@FreeBSD.ORG  Tue Dec 11 16:30:01 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C3D3F16A41A
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 11 Dec 2007 16:30:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id B6D9813C447
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 11 Dec 2007 16:30:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lBBGU198056707
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 11 Dec 2007 16:30:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lBBGU15M056704;
	Tue, 11 Dec 2007 16:30:01 GMT (envelope-from gnats)
Resent-Date: Tue, 11 Dec 2007 16:30:01 GMT
Resent-Message-Id: <200712111630.lBBGU15M056704@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Denis Eremenko <moonshade@pnhz.kz>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B823D16A417
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 11 Dec 2007 16:26:29 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id BB0AA13C468
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 11 Dec 2007 16:26:29 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lBBGQOUL075958
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Dec 2007 16:26:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lBBGQOX9075957;
	Tue, 11 Dec 2007 16:26:24 GMT (envelope-from nobody)
Message-Id: <200712111626.lBBGQOX9075957@www.freebsd.org>
Date: Tue, 11 Dec 2007 16:26:24 GMT
From: Denis Eremenko <moonshade@pnhz.kz>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/118554: Samba "send_mailslot()" Buffer Overflow Vulnerability
	(remote code execution)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2007 16:30:01 -0000


>Number:         118554
>Category:       misc
>Synopsis:       Samba "send_mailslot()" Buffer Overflow Vulnerability (remote code execution)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 11 16:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Denis Eremenko
>Release:        6-STABLE
>Organization:
>Environment:
>Description:
http://secunia.com/advisories/27760/

"The vulnerability is caused due to a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string.

Successful exploitation allows execution of arbitrary code, but requires that the "domain logons" option is enabled.

The vulnerability is confirmed in version 3.0.27a. Prior versions may also be affected."

>How-To-Repeat:

>Fix:
Update to version 3.0.28 or apply patch.

Patch for Samba 3.0.27a:
http://us3.samba.org/samba/ftp/patche...ity/samba-3.0.27a-CVE-2007-6015.patch


>Release-Note:
>Audit-Trail:
>Unformatted: