== Subject:     "root" credential remote code execution.
== CVE ID#:     CVE-2012-1182
== Versions:    Samba 3.0.x - 3.6.3 (inclusive)
== Summary:     Samba 3.0.x to 3.6.3 are affected by a
==              vulnerability that allows remote code
==		execution as the "root" user.


Samba versions 3.6.3 and all versions previous to this are affected by
a vulnerability that allows remote code execution as the "root" user
from an anonymous connection.

The code generator for Samba's remote procedure call (RPC) code
contained an error which caused it to generate code containing a
security flaw. This generated code is used in the parts of Samba that
control marshalling and unmarshalling of RPC calls over the network.

The flaw caused checks on the variable containing the length of an
allocated array to be done independently from the checks on the
variable used to allocate the memory for that array.  As both these
variables are controlled by the connecting client it makes it possible
for a specially crafted RPC call to cause the server to execute
arbitrary code.

As this does not require an authenticated connection it is the most
serious vulnerability possible in a program, and users and vendors are
encouraged to patch their Samba installations immediately.

Patch Availability

Patches addressing this issue have been posted to:

Additionally, Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at:

Samba administrators running affected versions are advised to upgrade
to 3.6.4, 3.5.14, or 3.4.16 or apply these patches as soon as

Due to the seriousness of this vulnerability, patches have been
released for all Samba versions currently out of support and
maintenance from 3.0.37 onwards.

Patches for the 3.6 series also apply to Samba4 alpha18 and can be used to
make a pure security release on top of it.


Samba contains a "hosts allow" parameter that can be used inside
smb.conf to restrict the clients allowed to connect to the server to a
trusted list. This can be used to help mitigate the problem caused by
this bug but it is by no means a real fix, as client addresses can be
easily faked.


This vulnerability and proof of concept code was provided by Brian
Gorenc as well as an anonymous researcher working with HP's Zero Day
Initiative program. The Samba Team would like to thank them for
reporting the problem and their cooperation in this matter.

Patches were provided by Stefan Metzmacher of the Samba team, based on
initial work by Volker Lendecke.