On May 14, 2007 a number of interesting heap-corruptionvulnerabilities were disclosed in Samba 3.0.25rc3 and earlier. On thesame day, Immunity released a private exploit for one of the issues on Solaris. A few days later, an exploit modulewas released for the Metasploit framework that reliably exploited theissue on a number of Linux distributions. The module specificallytargeted the flaw in the lsa_io_trans_names function.
Over the past few years, the discovery of high profilevulnerabilities in widespread Unix applications seems to be decreasing.Additionally, a variety of security mechanisms are more commonlydeployed on Linux distributions, such as non-executable stacks, stackcanaries, and secure heaps, all of which make the release of publicexploits this reliable more rare, or at least requiring more timely todevelop. The release of exploits for these issues is reminiscent ofyears past, when high-profile Unix applications were targeted as oftenas Windows RPC services.
What's fascinating about the public exploitation of the lsa_io_trans_names issue is that Samba's own tallocheap algorithm, which works on top of the Linux heap, lends itself toreliable exploitation. This isn't the first time a third-party heap hasbeen used to aid in the exploitability of a flaw, but it's possiblethat applications implementing less secure third-party heaps may be amore appealing target to researchers in the future.
While investigating this issue for a DeepSight Threat Analysisdocument, I decided to look into the flaw on the latest Mac OS Xrelease. The most recent mass security update released by Apple on May24, 2007, Security Update 2007-005,did not include an update for Samba. A look at the application on OS X10.4.9 showed Samba 3.0.10 installed, a vulnerable version originallyreleased in 2005. The service does not run by default, but will bestarted if Windows Sharing is enabled.
After starting the service, I was able to modify the Metasploitexploit module to reliably achieve code execution on Samba 3.0.10running on Mac OS X 10.4.9. Exploitation differs from that observed onLinux, due to the earlier version of Samba. But because of the lack ofsecurity mechanisms built-in to the Mac OS X heap algorithm,exploitation was possible and fairly trivial.
As Mac OS X users who have enabled Windows Sharing and have notmanually upgraded to Samba 3.0.25 using the source, are stillvulnerable, and this issue is still considered a very high priority.The DeepSight Threat Analyst Team has suggested that all Mac OS X usersusing Windows Sharing disable the functionality until an associatedSecurity Update is released or the 3.0.25 source code can be used to install the update version.