Signature Detail

SMB: Samba smbd Packets Chaining AndX Offset Infinite Loop

This signature detects attempts to exploit a known infinite loop vulnerability in Samba. The vulnerability is due to insufficient validation of AndX request offsets, which should be increasing in a strictly monotonic manner. A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious AndX request to the target. Successful exploitation of this vulnerability could result in the execution of arbitrary code in the context of the affected service.

Extended Description

Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion.

Affected Products

• rim blackberry_playbook_os 1.0
• rim blackberry_playbook_os 1.0.3
• rim blackberry_playbook_os 1.0.5
• rim blackberry_playbook_os 1.0.6
• rim blackberry_playbook_os 1.0.7
• rim blackberry_playbook_os 1.0.7.2942
• rim blackberry_playbook_os 1.0.7.3312
• rim blackberry_playbook_os 1.0.8.4985
• rim blackberry_playbook_os 1.0.8.6067
• rim blackberry_playbook_os up to 2.0
• rim blackberry_playbook_tablet -
• samba 3.0

References

• BugTraq: 52103
• CVE: CVE-2012-0870