module
Samba chain_reply Memory Corruption (Linux x86)
| Disclosed | Created |
|---|---|
| 2010-06-16 | 2018-05-30 |
Disclosed
2010-06-16
Created
2018-05-30
Description
This exploits a memory corruption vulnerability present in Samba versions
prior to 3.3.13. When handling chained response packets, Samba fails to validate
the offset value used when building the next part. By setting this value to a
number larger than the destination buffer size, an attacker can corrupt memory.
Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will
cause the header of the input buffer chunk to be corrupted.
After close inspection, it appears that 3.0.x versions of Samba are not
exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot
cause memory to be corrupted in an exploitable way. It is possible to corrupt the
heap header of the "InputBuffer", but it didn't seem possible to get the chunk
to be processed again prior to process exit.
In order to gain code execution, this exploit attempts to overwrite a "talloc
chunk" destructor function pointer.
This particular module is capable of exploiting the flaw on x86 Linux systems
that do not have the nx memory protection.
NOTE: It is possible to make exploitation attempts indefinitely since Samba forks
for user sessions in the default configuration.
prior to 3.3.13. When handling chained response packets, Samba fails to validate
the offset value used when building the next part. By setting this value to a
number larger than the destination buffer size, an attacker can corrupt memory.
Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will
cause the header of the input buffer chunk to be corrupted.
After close inspection, it appears that 3.0.x versions of Samba are not
exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot
cause memory to be corrupted in an exploitable way. It is possible to corrupt the
heap header of the "InputBuffer", but it didn't seem possible to get the chunk
to be processed again prior to process exit.
In order to gain code execution, this exploit attempts to overwrite a "talloc
chunk" destructor function pointer.
This particular module is capable of exploiting the flaw on x86 Linux systems
that do not have the nx memory protection.
NOTE: It is possible to make exploitation attempts indefinitely since Samba forks
for user sessions in the default configuration.
Authors
Jun Mao
jduck jduck@metasploit.com
jduck jduck@metasploit.com
Platform
Linux
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.