Date: Sun, 6 Jun 1999 19:57:44 -0700 From: Patrick Michael Kane To: BUGTRAQ@netspace.org Subject: Buffer overflows in smbval library While working on my Authen::Smb wrapper, which provides SMB authentication to UNIX hosts via perl, I discovered that the library that it is based on, smbvalid.a (originally written by Alexander O. Yuriev, patched by many folks through time -- available from a number of places via http/ftp), has a number of exploitable buffer overflows. The username and password arrays, among others, are vulnerable to overflow. Remotely accessible applications that rely on the smbvalid library for authentication may be vulnerable to remote attack. At this time, Apache::AuthenSmb, a mod_perl-based authentication module for Apache, is the only formal application I am aware of that is vulnerable. Custom developed applications should be examined for possible vulnerabilities. Authen::Smb 0.9 has been released which addresses this problem and is available via CPAN. pam_smb, which is also built around smbvalid, does _not_ apper to be vulnerable to attacks. No patches are available to correct the problem in the library itself at this time. Thanks, -- Patrick Michael Kane We Also Walk Dogs ---------------------------------------------------------------------------- Date: Mon, 7 Jun 1999 08:44:21 -0700 From: Patrick Michael Kane To: BUGTRAQ@netspace.org Subject: Re: Buffer overflows in smbval library One follow-up. I misattributed authorship of the smbval library. It was written by Richard Sharpe, not Alexander O. Yuriev. Thanks, -- Patrick Michael Kane We Also Walk Dogs ---------------------------------------------------------------------------- Date: Tue, 8 Jun 1999 18:23:10 +0900 From: Richard Sharpe To: BUGTRAQ@netspace.org Subject: Re: Buffer overflows in smbval library At 08:44 AM 6/7/99 -0700, Patrick Michael Kane wrote: >One follow-up. I misattributed authorship of the smbval library. It was >written by Richard Sharpe, not Alexander O. Yuriev. > Hmmm, I can't remember writing smbval. I do remember writing SMBlib, and am certain that pam_smb is based on that, and I freely admit that it could have buffer overflows in it. I have learned since :-) Regards ------- Richard Sharpe, sharpe@ns.aus.com, NS Computer Software and Services P/L, Samba (Team member www.samba.org), Ethereal (Team member www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author, First Australian Linux Course