Note: This is an archival copy of Security Sun Alert 249086 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019923.1.
Solaris 9 Operating System
Solaris 10 Operating System
Date of Resolved Release
Security Vulnerability in samba(7) Specially Crafted Packet May Allow Execution of Arbitrary Code With Root Privileges
A heap-based buffer overflow in the Samba client (SMBCLIENT(1)) may allow a remote unprivileged user to execute arbitrary code using a crafted SMB response. Since the Samba daemon (smbd(1M)) can also act as the client during operations such as printer notification and domain authentication, this issue affects both the Samba client and server.
Additional information on this issue can be found in the following document:
CVE-2008-1105 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105
2. Contributing Factors
This issue can occur in the following releases:
1. Solaris 8 does not include the Samba software and therefore is not affected by this issue.
To determine the version of Samba installed on a system, the following command can be run:
% /usr/sfw/sbin/smbd -VTo determine if a system is configured as a Samba server, the following command can be run to check for processes related to Samba:
% ps -ef | grep mbdIf the output shows "smbd" or "nmbd" running as a daemon (with the -D parameter), the system is configured as a Samba server.
There are no predictable symptoms that would indicate the described vulnerability has been exploited to run arbitrary code with the privileges of the root user.
To work around the described issue for the Samba server, the Samba service may be stopped by using the following command:
On Solaris 9
# /etc/init.d/samba stopOn Solaris 10
# svcadm disable samba
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment