========================================================== == Subject: Formatstring vulnerability in smbclient == == CVE ID#: CVE-2009-1886 == == Versions: Samba 3.2.0 - 3.2.12 (inclusive) == == Summary: The smbclient commands dealing with file == names treat user input as a format string == to asprintf. ========================================================== =========== Description =========== The smbclient utility in Samba 3.2.0 - 3.2.12 contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. An example is: smb: \> put aa%3Fbb putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s) As is obvious, "aa%3Fbb" is interpreted as a format string. With a maliciously crafted file name smbclient can be made to execute code triggered by the server. The attack from our point of view is rather unlikely because the malicious filename has to be entered by the user. If smbclient is used within scripts, an attack becomes possible. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.2.13 has been issued as a security release to correct the defect. Samba administrators are advised to upgrade to 3.2.13 or apply the patch as soon as possible when. ========== Workaround ========== No workaround is available at this time. ======= Credits ======= This issue was found and reported to the Samba Team by Reinhard Nißl <rnissl@gmx.de> as https://bugzilla.samba.org/show_bug.cgi?id=6478 ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================