The 2.2.8 release notes say: > A buffer overrun condition exists in the SMB/CIFS packet fragment > re-assembly code in smbd which would allow an attacker to cause smbd > to overwrite arbitrary areas of memory in its own process address > space. This could allow a skilled attacker to inject binary specific > exploit code into smbd.
Comment: It seems to me that the ability of a "skilled attacker to inject binary specific exploit code into smbd" is dependent upon the processor architecture. On a chip that fails to distinguish between code and data, I can readily see how a skilled attacker could inject binary specific code using a buffer overrun. However, on a chip that does distinguish areas of virtual memory that are code, and areas that are data, and further disallows execution of data (absent a specific operating system call to change the access mode of that region of virtual memory), it seems to me that it would be almost impossible for even a highly skilled attacker to inject binary specific code. I consider myself highly skilled on the Stratus VOS operating system and I can't for the life of my see how I could get the HP PA-RISC microprocessor to execute code that came down the wire as data. Question: Would someone please confirm or refute my hypothesis? Some of my customers are asking me about this vulnerability, and as all of the Stratus VOS customers are using Samba on a microprocessor that draws a strong distinction between virtual memory used for data (e.g., stack, heap, static data) versus virtual memory used by executable code, it is my current strong belief that we are not susceptible to this vulnerability as described in the release notes. [I can see how an attacker could mount a DoS attack, of course]. [[Meta comment: vulnerabilities that require combinations of code holes and microprocessor design flaws and/or operating system holes should be so labeled, IMHO. Blanket statements needlessly scare people, and needlessly let certain vendors of chips with weak hardware security controls, or OS vendors with same, off the hook.]] > Patch Availability > - ----------------- > > As this is a security issue, patches for this flaw specific to earlier > versions of Samba will be posted on the [EMAIL PROTECTED] > mailing list as requested. Well, if my hypothesis is incorrect, I'd like to request a patch against 2.0.7. Either that, or I'm going to send you a lot of patches to get 2.2.8 to build on VOS... Thanks PG -- Paul Green, Senior Technical Consultant, Stratus Technologies. Voice: +1 (978) 461-7557; FAX: +1 (978) 461-3610