Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2007 > Four iDefense Security Advisories: Samba SAMR, Solaris SRS Proxy Core srsexec, Novell NetMail NMDMC, Apple Darwin Streaming Proxy

May 2007

Four iDefense Security Advisories: Samba SAMR, Solaris SRS Proxy Core srsexec, Novell NetMail NMDMC, Apple Darwin Streaming Proxy

ID: 131
Ref: 073/2007
Date: 15 May 2007:12:23:34
Version: 1
Title: Four iDefense Security Advisories: Samba SAMR, Solaris SRS Proxy Core srsexec, Novell NetMail NMDMC, Apple Darwin Streaming Proxy
Abstract: 1. Samba SAMR Change Password Remote Command Injection Vulnerability 2. Sun Microsystems Solaris SRS Proxy Core srsexec Arbitrary File Read Vulnerability 3. Novell NetMail NMDMC Buffer Overflow Vulnerability 4.
Vendors affected: multiple

1.

Samba SAMR Change Password Remote Command Injection Vulnerability
Advisory link: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534


I. BACKGROUND

Samba is a Unix server application used to implement Windows file sharing and domain controlling functionality. SAMR is the named pipe used to access the SAM, security accounts manager, database. This database stores login credentials on NT based systems. More information can be found at the following URL.

http://samba.org/samba/

II. DESCRIPTION

Remote exploitation of a command injection vulnerability within Samba Project's Samba could allow an attacker to execute arbitrary code with nobody privileges.

The vulnerability exists within the code responsible for updating a user's password in the SAM database. Unfiltered user input is passed to "/bin/sh". This allows an attacker to execute arbitrary shell commands with the privileges of the nobody user.

III. ANALYSIS

Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands with the privileges of the nobody user.

An important mitigating factor is that this vulnerability occurs within a non-default configuration of Samba. Specifically, the 'username map script' option must be defined in the smb.conf file.

Valid credentials are not needed to exploit this vulnerability. In order to successfully change a password, it is necessary to provide the original password. However, the vulnerability can still be triggered regardless of whether or not the change password attempt fails.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Samba version 3.0.24. Previous versions of Samba release 3 may be vulnerable.
Release version 2 and below did not have this feature.

V. WORKAROUND

Removing the 'username map script' option from the smb.conf file will prevent this vulnerability from being triggered.

VI. VENDOR RESPONSE

Samba has released version 3.0.25 as well as a patch for version 3.0.24 to address this issue. More information can be found in their announcement at the following URL.

http://samba.org/samba/security/CVE-2007-2447.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-2447 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

05/07/2007 Initial vendor notification
05/07/2007 Initial vendor response
05/14/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.



2.

Sun Microsystems Solaris SRS Proxy Core srsexec Arbitrary File Read Vulnerability
Advisory link: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=531


I. BACKGROUND
The srsexec utility is part of the SRS Proxy Core package that is available with Solaris 10. It is installed setuid root by default. For more information about this software, visit the following URL.

http://www.sun.com/service/netconnect/

II. DESCRIPTION
Local exploitation of a design error vulnerability in the srsexec binary optionally included in Sun Microsystems Inc., Solaris 10 allows attackers to gain access to sensitive information, such as the root password hash.

The vulnerability specifically exists because of a failure to drop permissions or check the permissions on the file specified for the target file. If a user specified verify only mode (-v) as well as debug mode (-d), and specified a protected file such as /etc/shadow, srsexec will display the first line of /etc/shadow in the debug messages. The following demonstrates a sample exploitation session:

$ /opt/SUNWsrspx/bin/srsexec -dvb /etc/shadow OWNED
verify_binary(OWNED)
srsexec: binary_name: OWNED
srsexec: name_buf: OWNED_______________
binaries file line: root:omhyabndnAtNw:6
binaries file line: :6445::::::
smmsp:NP
Security verification failed for binary: OWNED
see SYSLOG(/var/adm/messages) for errors

III. ANALYSIS
Exploitation of this vulnerability allows attackers to gain access to the root password hash or other sensitive information.

In order to exploit this vulnerability, an attacker must have local user access to the system.

IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Solaris 10 with the SUNWsrspx package installed. In order to determine if this package is installed, an administrator can execute the following command:

# pkginfo SUNWsrspx
If this command returns 'ERROR: information for "SUNWsrspx" was not found', then the system does not have the affected package installed and is not vulnerable.

V. WORKAROUND
Remove the setuid bit from the srsexec binary:

# chmod -s /opt/SUNWsrspx/bin/srsexec
VI. VENDOR RESPONSE
Sun Microsystems has addressed this vulnerability with a patch release. For more information, consult Sun Alert ID 102891 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102891-1

VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE
11/07/2006 Initial vendor notification
11/10/2006 Initial vendor response
05/10/2007 Coordinated public disclosure


IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/


X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.



3.

Novell NetMail NMDMC Buffer Overflow Vulnerability
Advisory link: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=532


I. BACKGROUND
Novell Inc.'s NetMail is an e-mail and calendar system that is based on standard Internet protocols. More information can be found at the URL shown below.

http://www.novell.com/products/netmail/

II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability within Novell Inc.'s NetMail allows attackers to execute arbitrary code with the privileges of the service.

This vulnerability specifically exists within the SSL version of the "NMDMC.EXE" service. The application does not perform sufficient input validation when copying data into a fixed size stack buffer. When processing a specially crafted request made to this service, a stack-based buffer overflow occurs leading to corruption of program control registers saved on the stack.

III. ANALYSIS
Exploitation allows attackers to execute code in the context of the running service. By default this service runs with the privileges of "NetMailService".

No authentication is required to reach the vulnerable code. Additionally, this is an SSL based service which complicates writing IDS signatures.

It appears that the non-SSL version of this service is not vulnerable.

IV. DETECTION
iDefense has confirmed the existence of this vulnerability within version 3.52e_FTF2 of Novell Inc's NetMail. Older versions are suspected to be vulnerable.

V. WORKAROUND
Employ firewalls to minimize the exposure of this service.

VI. VENDOR RESPONSE
Novell has addressed this vulnerability in the beta release of Novell NetMail 3.52f. For more information, consult the document located at the following URL.

http://download.novell.com/Download?buildid=Ad2xk29hHTg~

VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE
02/07/2007 Initial vendor notification
02/08/2007 Initial vendor response
05/10/2007 Public disclosure


IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/


X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.



4.

Apple Darwin Streaming Proxy Multiple Vulnerabilities
Advisory link: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533


I. BACKGROUND
Darwin Streaming Server is a server technology that facilitates streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols.

The Darwin Streaming Proxy is an application-specific proxy which would normally be run in a border zone or perimeter network. It is used to give client machines, within a protected network, access to streaming servers where the firewall blocks RTSP connections or RTP/UDP data flow. For more information, please visit the product website at via following URL.

http://developer.apple.com/opensource/server/streaming/index.html

II. DESCRIPTION
Remote exploitation of multiple buffer overflow vulnerabilities in Apple Inc.'s Darwin Streaming Proxy allows attackers to execute arbitrary code with the privileges of running service, usually root.

Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The "is_command" function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers.

Additionally, a heap-based buffer overflow could occur while processing the "trackID" values contained within a "SETUP" request. If a request with more than 32 values is encountered, memory corruption will occur.

III. ANALYSIS
Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the running service, usually root.

No credentials are required for accessing the vulnerable code.

The stack-based buffer overflow vulnerability relies on compiler optimizations. iDefense has verified the Darwin Streaming Proxy 4.1 binary release for Fedora Core is not vulnerable. The binary produced from a out-of-the-box compile on Fedora was confirmed vulnerable.

IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in Darwin Streaming Server 5.5.4 and Darwin Streaming Proxy 4.1. It is suspected that earlier versions are also vulnerable.

V. WORKAROUND
Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems and services.

VI. VENDOR RESPONSE
Apple has addressed this vulnerability by releasing version 5.5.5 of Darwin Streaming Server. More information can be found from Apple's Security Update page or the Darwin Streaming Server advisory page at the respective URLs below.

http://docs.info.apple.com/article.html?artnum=61798
http://docs.info.apple.com/article.html?artnum=305495

VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to stack-based buffer overflow. These names are a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE
04/09/2007 Initial vendor notification
04/09/2007 Initial vendor response
05/10/2007 Coordinated public disclosure


IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/


X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

______________________________________________________________________________
CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________
CPNI wishes to acknowledge the contributions of iDefense for the information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |