CVE-2013-4124
published 2013-08-06CVE-2013-4124: Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote…
PriorityP344medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
69.01%
99.3th percentile
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.
Affected
159 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | samba | < samba 2:3.6.17-1 (bookworm) | samba 2:3.6.17-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| redhat | enterprise_linux | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandSMB_COM_NT_TRANSACT (0xA0) with NT_TRANSACT_CREATE (0x01) and malformed large dataoffset (0xf1000000)↗
bytes↗
\xff\x53\x4d\x42 (SMB protocol magic bytes) with command byte 0xA0 (SMB_NTTRANS)
- →Detect SMB NT_TRANSACT (command 0xA0) packets with a malformed/oversized dataoffset field that causes integer wrap (e.g. value near 0xf1000000) targeting the read_nttrans_ea_list code path in smbd. ↗
- →The exploit requires the NT_TRANSACT_CREATE sub-function (0x01) within the SMBNTtrans request; monitor for SMB NT_TRANSACT packets with function code 0x01 carrying anomalously large data offset values. ↗
- →Monitor smbd processes for abnormal memory consumption following receipt of SMB NTTRANS packets; the vulnerability causes the server to loop and re-process the EA list leading to memory exhaustion. ↗
- →The attack vector is the SMBNTtrans reply_nttrans() handler; network sensors should alert on SMB sessions sending NT_TRANSACT requests with EA list data that triggers integer overflow conditions. ↗
- ·The vulnerability is only exploitable when the 'ea support' option is explicitly enabled on the target Samba share; it is disabled by default, significantly limiting exposure. ↗
- ·EA support is disabled by default ('ea support = no') in Samba packages shipped with Red Hat Enterprise Linux 5 and 6, making those default configurations unexploitable. ↗
- ·Affected versions are Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8; patched upstream commits are available against v4.0.7, v3.6.16, and v3.5.21. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba vulnerability
vendor_ubuntu·2013-09-24
CVE-2013-4124 Samba vulnerability
Title: Samba vulnerability
Summary: Samba could be made to hang if it received specially crafted network
traffic.
Jeremy Allison discovered that Samba incorrectly handled certain extended
attribute lists. A remote attacker could use this issue to cause Samba
to hang, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: DoS via integer overflow when reading an EA list
vendor_redhat·2013-08-05·CVSS 5.0
CVE-2013-4124 [MEDIUM] CWE-190 samba: DoS via integer overflow when reading an EA list
samba: DoS via integer overflow when reading an EA list
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.
Package: samba (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-4124: samba - Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Sa...
vendor_debian·2013·CVSS 5.0
CVE-2013-4124 [MEDIUM] CVE-2013-4124: samba - Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Sa...
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.
Scope: local
bookworm: resolved (fixed in 2:3.6.17-1)
bullseye: resolved (fixed in 2:3.6.17-1)
forky: resolved (fixed in 2:3.6.17-1)
sid: resolved (fixed in 2:3.6.17-1)
trixie: resolved (fixed in 2:3.6.17-1)
GHSA
GHSA-qvwq-h632-53jh: Integer overflow in the read_nttrans_ea_list function in nttrans
ghsa_unreviewed·2022-05-14
CVE-2013-4124 [MEDIUM] GHSA-qvwq-h632-53jh: Integer overflow in the read_nttrans_ea_list function in nttrans
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.
OSV
CVE-2013-4124: Integer overflow in the read_nttrans_ea_list function in nttrans
osv·2013-08-06·CVSS 5.0
CVE-2013-4124 [MEDIUM] CVE-2013-4124: Integer overflow in the read_nttrans_ea_list function in nttrans
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.
No detection rules found.
Exploit-DB
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow
exploitdb·2013-08-22·CVSS 5.0
CVE-2013-4124 [MEDIUM] Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow
---
Exploitation: samba nttrans reply integer overflow
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / \__. || | | | / __|
> handle_nttrans
+-> call_nt_transact_create // transact!
-> read_nttrns_ea_list(vulnerable function)
[security bug analyze]
smbd/nttrans.c
---- snip ---- snip ---- snip ---- snip ----
971 /****************************************************************************
972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
973 ****************************************************************************/
974 EA names, data from samba incoming buffer!
975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size) // *pdata is inject vect
Metasploit
Samba read_nttrans_ea_list Integer Overflow
metasploit
Samba read_nttrans_ea_list Integer Overflow
Samba read_nttrans_ea_list Integer Overflow
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet. Important Note: in order to work, the "ea support" option on the target share must be enabled.
Bugzilla
CVE-2013-4124 samba: DoS via integer overflow when reading an EA list [fedora-all]
bugzilla·2013-08-05·CVSS 5.0
CVE-2013-4124 [MEDIUM] CVE-2013-4124 samba: DoS via integer overflow when reading an EA list [fedora-all]
CVE-2013-4124 samba: DoS via integer overflow when reading an EA list [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issu
Bugzilla
CVE-2013-4124 samba: DoS via integer overflow when reading an EA list
bugzilla·2013-07-15·CVSS 5.0
CVE-2013-4124 [MEDIUM] CVE-2013-4124 samba: DoS via integer overflow when reading an EA list
CVE-2013-4124 samba: DoS via integer overflow when reading an EA list
An integer overflow flaw was found in the way samba read an EA list provided by the client. A malicious client could send a specially crafted EA list that wraps perfectly on a 32-bit boundary, causing the server to loop and re-process the list. This can cause Denial of Service via memory exhaustion.
Reference:
https://bugzilla.samba.org/show_bug.cgi?id=10010 (curently private)
Discussion:
Support for Extended Attributes (EA) is disabled by default in the versions of samba package shipped with Red Hat Enterprise Linux 5 and 6.
As per the smb(5) man page:
"
This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended attributes on a share. In order to enable this paramet
Bugzilla
CVE-2012-6092 activemq: Multiple XSS flaws in web demos
bugzilla·2013-04-24·CVSS 4.3
CVE-2012-6092 [MEDIUM] CVE-2012-6092 activemq: Multiple XSS flaws in web demos
CVE-2012-6092 activemq: Multiple XSS flaws in web demos
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6092
Discussion:
This issue has been addressed in following products:
Fuse MQ Enterprise 7.1.0
Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html
http://archives.neohapsis.com/archives/bugtraq/2013-08/0028.htmlhttp://ftp.samba.org/pub/samba/patches/security/samba-4.0.7-CVE-2013-4124.patchhttp://lists.fedoraproject.org/pipermail/package-announce/2013-August/113591.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-August/114011.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00015.htmlhttp://marc.info/?l=bugtraq&m=141660010015249&w=2http://osvdb.org/95969http://rhn.redhat.com/errata/RHSA-2013-1310.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1542.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1543.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0305.htmlhttp://secunia.com/advisories/54519http://security.gentoo.org/glsa/glsa-201502-15.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:207http://www.samba.org/samba/history/samba-3.5.22.htmlhttp://www.samba.org/samba/history/samba-3.6.17.htmlhttp://www.samba.org/samba/history/samba-4.0.8.htmlhttp://www.samba.org/samba/security/CVE-2013-4124http://www.securitytracker.com/id/1028882http://www.ubuntu.com/usn/USN-1966-1https://bugzilla.redhat.com/show_bug.cgi?id=984401https://exchange.xforce.ibmcloud.com/vulnerabilities/86185http://archives.neohapsis.com/archives/bugtraq/2013-08/0028.htmlhttp://ftp.samba.org/pub/samba/patches/security/samba-4.0.7-CVE-2013-4124.patchhttp://lists.fedoraproject.org/pipermail/package-announce/2013-August/113591.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-August/114011.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00015.htmlhttp://marc.info/?l=bugtraq&m=141660010015249&w=2http://osvdb.org/95969http://rhn.redhat.com/errata/RHSA-2013-1310.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1542.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1543.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0305.htmlhttp://secunia.com/advisories/54519http://security.gentoo.org/glsa/glsa-201502-15.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:207http://www.samba.org/samba/history/samba-3.5.22.htmlhttp://www.samba.org/samba/history/samba-3.6.17.htmlhttp://www.samba.org/samba/history/samba-4.0.8.htmlhttp://www.samba.org/samba/security/CVE-2013-4124http://www.securitytracker.com/id/1028882http://www.ubuntu.com/usn/USN-1966-1https://bugzilla.redhat.com/show_bug.cgi?id=984401https://exchange.xforce.ibmcloud.com/vulnerabilities/86185
2013-08-06
Published