Samba RPC Network Data Representation Marshalling Vulnerability

SA48742

CVE-2012-1182

11 Apr 2012

02 Jul 2012

Moderately Critical

Vendor Patch

Samba 3.x

From local network

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

A vulnerability has been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within the Network Data Representation (NDR) marshalling functionality when handling PULL EVENTLOG ReportEventAndSourceW requests and can be exploited to cause a heap-based buffer overflow via a specially crafted remote procedure call.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions 3.0.x through 3.6.3.

Apply patch or update to version 3.6.4, 3.5.14, or 3.4.16.
http://www.samba.org/samba/patches/

Brian Gorenc, HP DVLabs and an anonymous person via ZDI.

Samba:
http://www.samba.org/samba/security/CVE-2012-1182

DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-12-04

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-061/
http://www.zerodayinitiative.com/advisories/ZDI-12-062/
http://www.zerodayinitiative.com/advisories/ZDI-12-063/
http://www.zerodayinitiative.com/advisories/ZDI-12-064/
http://www.zerodayinitiative.com/advisories/ZDI-12-068/
http://www.zerodayinitiative.com/advisories/ZDI-12-069/
http://www.zerodayinitiative.com/advisories/ZDI-12-070/
http://www.zerodayinitiative.com/advisories/ZDI-12-071/
http://www.zerodayinitiative.com/advisories/ZDI-12-072/