Vigil@nce - Samba: two denials of service
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can send a malicious packet to the
Samba daemon, in order to stop it.
Severity: 2/4
Creation date: 17/05/2010
DESCRIPTION OF THE VULNERABILITY
The smbd daemon of Samba listens on the CIFS 139/445 ports. An
attacker can use two vulnerabilities in order to stop it.
An attacker can send a non Unicode "Negotiate Protocol" packet,
followed by an Unicode "Session Setup AndX" packet, in order to
generate an error stopping smbd. [severity:2/4]
An attacker can send a "Session Setup AndX" packet with a field
"security blob length" set to 0xFFFF, in order to force a read at
an invalid memory address. [severity:2/4]
An unauthenticated attacker can therefore send a malicious packet
to the Samba daemon, in order to stop it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Samba-two-denials-of-service-9645