Memory Corruption Vulnerability

Description

Samba versions 3.3.12 and all versions previous to this are affected
by a memory corruption vulnerability. Samba versions 3.4.0 and all
releases since this version are NOT affected by this problem. In
particular, the current stable Samba version 3.5.3 is NOT affected
by this problem.

Code dealing with the chaining of SMB1 packets did not correctly
validate an input field provided by the client, making it possible
for a specially crafted packet to crash the server or potentially
cause the server to execute arbitrary code.

This does not require an authenticated connection and so is the
most dangerous kind of vulnerability. All affected systems should
be patched as soon as possible.

Patch Availability

Patches addressing both these issues have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 3.3.13 has been issued as security release to correct the
defect. Patches against older Samba versions are available at
http://samba.org/samba/patches/. Samba administrators running affected
versions are advised to upgrade to 3.3.13 or apply the patch as soon
as possible.

Workaround

None.

Credits

This vulnerability and proof of concept code was provided by
Jun Mao of iDefense Labs (http://www.idefense.com).

Patches were provided by Jeremy Allison of the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team