Samba 3.0.37 EnumPrinters memory corruption

2015.05.19

Credit: Gabriele Avosani

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Hello, i discovered a bug in EnumPrinters.
It seems that it allocates many mega of memory, corrupting memory and taking control of a memcpy in parse_prs.c:398
It leads to memory corruption, fatal (and fast) exhaustion of resources and, probably, remote code execution.
I attach a file that can be used as a proof of concept.
Gabriele Avosani
(looking for remote work as programmer, if in need, email me at g.avosani () gmail com (PHP, Perl, C/C++, Java and more))
http://seclists.org/fulldisclosure/2015/May/att-73/enumprinters_tgz.bin

References:

http://seclists.org/fulldisclosure/2015/May/att-73/enumprinters_tgz.bin

http://seclists.org/fulldisclosure/2015/May/73

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Samba 3.0.37 EnumPrinters memory corruption

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.