On May 14, 2007 a number of interesting heap-corruption vulnerabilities were disclosed in Samba 3.0.25rc3 and earlier. On the same day, Immunity released a private exploit for one of the issues on Solaris. A few days later, an exploit module was released for the Metasploit framework that reliably exploited the issue on a number of Linux distributions. The module specifically targeted the flaw in the lsa_io_trans_names function.
Over the past few years, the discovery of high profile vulnerabilities in widespread Unix applications seems to be decreasing. Additionally, a variety of security mechanisms are more commonly deployed on Linux distributions, such as non-executable stacks, stack canaries, and secure heaps, all of which make the release of public exploits this reliable more rare, or at least requiring more timely to develop. The release of exploits for these issues is reminiscent of years past, when high-profile Unix applications were targeted as often as Windows RPC services.
What's fascinating about the public exploitation of the lsa_io_trans_names issue is that Samba's own talloc heap algorithm, which works on top of the Linux heap, lends itself to reliable exploitation. This isn't the first time a third-party heap has been used to aid in the exploitability of a flaw, but it's possible that applications implementing less secure third-party heaps may be a more appealing target to researchers in the future.
While investigating this issue for a DeepSight Threat Analysis document, I decided to look into the flaw on the latest Mac OS X release. The most recent mass security update released by Apple on May 24, 2007, Security Update 2007-005, did not include an update for Samba. A look at the application on OS X 10.4.9 showed Samba 3.0.10 installed, a vulnerable version originally released in 2005. The service does not run by default, but will be started if Windows Sharing is enabled.
After starting the service, I was able to modify the Metasploit exploit module to reliably achieve code execution on Samba 3.0.10 running on Mac OS X 10.4.9. Exploitation differs from that observed on Linux, due to the earlier version of Samba. But because of the lack of security mechanisms built-in to the Mac OS X heap algorithm, exploitation was possible and fairly trivial.
As Mac OS X users who have enabled Windows Sharing and have not manually upgraded to Samba 3.0.25 using the source, are still vulnerable, and this issue is still considered a very high priority. The DeepSight Threat Analyst Team has suggested that all Mac OS X users using Windows Sharing disable the functionality until an associated Security Update is released or the 3.0.25 source code can be used to install the update version.



More...