iDEFENSE Security Advisory 12.16.04

…Remote exploitation of an integer overflow vulnerability in all
versions of Samba’s smbd prior to and including 3.0.8 could allow an
attacker to cause controllable heap corruption, leading to execution
of arbitrary commands with root privileges….

An attacker could supply data to the server which would cause the
heap to become corrupted in such a way as to cause arbitrary values
to be written to arbitrary locations, eventually leading to code
execution.

III. ANALYSIS
Successful remote exploitation allows an attacker to gain root
privileges on a vulnerable system. In order to exploit this
vulnerability an attacker would need to have credentials allowing
them access to the a share. Unsuccessful exploitation attempts will
cause the process serving the request to crash with signal 11, and
may leave evidence of an attack in logs.

IV. DETECTION
iDEFENSE Labs have confirmed that Samba 3.0.8 and 2.2.9 are
vulnerable. Checks made against earlier versions of the source code
suggest that all versions from at least 2.0.0 are also vulnerable to
some minor variation of this vulnerability.

V. WORKAROUND
Employ firewalls, access control lists or other TCP/UDP restriction
mechanisms to limit access to systems and services.

VI. VENDOR RESPONSE
Patches for this issue are available here and here.