Samba spoolss Service DoS

April 6, 2018

Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients. A Null pointer Denial of Service vulnerability exists on Samba print service for Samba Team Samba 4.0.0 to 4.4.x, 4.5.x to 4.5.16, 4.6.x to 4.6.14 and 4.7.x to 4.7.6, which may cause a remote Denial of Service.When Samba's deamon application, smbd, handling the printer server name, the 3 functions will be called: RpcEnumPrinterDrivers() -> _spoolss_EnumPrinterDrivers() -> canon_servername(). The RpcEnumPrinterDrivers request will be forwarded to the _spoolss_EnumPrinterDrivers() function to handle.

Figure 1: pname in the request

Afterwards, the canon_servername will be called to parse the pName - print server name. However because the _spoolss_EnumPrinterDrivers fails to check if the input variable is NULL, this will potentially cause a NULL pointer reference, causing the service to crash. As is shown in figure 2. An attacker could send such a request remotely, and cause Denial of Service on the remote service.

Figure 2: NULL reference that causes DoS

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13280: Samba spoolss Service DoS