SecurityTracker.com Archives - Samba Winbind SFU/RFC2307 GID Error Lets Local Users Gain Elevated Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (File Transfer/Sharing) > Samba CIFS

Vendors: Samba.org

Samba Winbind SFU/RFC2307 GID Error Lets Local Users Gain Elevated Privileges

SecurityTracker Alert ID: 1018681

SecurityTracker URL: http://securitytracker.com/id?1018681

CVE Reference: CVE-2007-4138 (Links to External Site)

Date: Sep 11 2007

Impact: Root access via local system, User access via local system

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 3.0.25 - 3.0.25c

Description: A vulnerability was reported in Samba. A local user can obtain elevated privileges on the target system in a certain configuration.

When the 'winbind nss info' parameter in 'smb.conf' is set to 'sfu' or 'rfc2307' (allowing the 'idmap_ad.so' library to retrieve certain user data from an Active Directory domain controller), the user's primary group ID (gid) is set to 0 in certain cases. If the RFC2307 or Services or Unix (SFU) primary group attributes are not specified, this error will occur.

The vendor was notified on August 29, 2007.

Rick King reported this vulnerability.

Impact: A local user may be assigned elevated group id (gid) privileges on the target system.

Solution: The vendor has issued a fixed version (3.0.26). A patch is also available at:

http://www.samba.org/samba/security/

The Samba advisory is available at:

http://samba.org/samba/security/CVE-2007-4138.html

Vendor URL: samba.org/samba/security/CVE-2007-4138.html (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Nov 15 2007	(Red Hat Issues Fix) Samba Winbind SFU/RFC2307 GID Error Lets Local Users Gain Elevated Privileges (bugzilla@redhat.com) Red Hat has released a fix for Red Hat Enterprise Linux 4.
Nov 16 2007	(Red Hat Issues Fix) Samba Winbind SFU/RFC2307 GID Error Lets Local Users Gain Elevated Privileges (bugzilla@redhat.com) Red Hat has released a fix for Red Hat Enterprise Linux 5.

Source Message Contents

Date: Tue, 11 Sep 2007 14:16:35 -0400
Subject: Samba

 
 
http://samba.org/samba/security/CVE-2007-4138.html
 
CVE-2007-4138: Incorrect primary group assignment domain users using the rfc2307 or sfu winbind nss i
nfo plugin
 
==========================================================
==
== Subject:     Incorrect primary group assignment for
==              domain users using the rfc2307 or sfu
==              winbind nss info plugin.
==
== CVE ID#:     CVE-2007-4138
==
== Versions:    Samba 3.0.25 - 3.0.25c (inclusive)
==
== Summary:     When the "winbind nss info" parameter in
==              smb.conf is set to either "sfu" or "rfc2307",
==              Windows users are incorrectly assigned
==              a primary gid of 0 in the absence of the
==              RFC2307 or Services or Unix (SFU) primary
==              group attributes.
==
==========================================================
 
===========
Description
===========
 
The idmap_ad.so library provides an nss_info extension to Winbind
for retrieving a user's home directory path, login shell and
primary group id from an Active Directory domain controller.  This
functionality is enabled by defining the "winbind nss info"
smb.conf option to either "sfu" or "rfc2307".
 
Both the Windows "Identity Management for Unix" and "Services for
Unix" MMC plug-ins allow a user to be assigned a primary group
for Unix clients that differs from the user's Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in
the absence of either the RFC2307 or SFU primary group attribute,
Winbind will assign a primary group ID of 0 to the domain user
queried using the getpwnam() C library call.
 
 
==================
Patch Availability
==================
 
A patch addressing this defect has been posted to
 
http://www.samba.org/samba/security/
 
Additionally, Samba 3.0.26 has been issued as a security
release to correct the defect.
 
 
==========
Workaround
==========
 
Samba and Active Directory administrators may avoid this security
issue by two methods:
 
(a) Ensure that all user's stored in AD are properly assigned a
    Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 "winbind nss info" plugin
    until a patched version of the idmap_ad.so library can be
    installed.
 
Note that the problem is only evident on servers using the sfu
or rfc2307 "winbind nss info" plugin and not those only making
use of Winbind's idmap_ad IDMap backend interface.
 
 
=======
Credits
=======
 
This vulnerability was reported to Samba developers by Rick King
as Samba Bug #4927.
 
The time line is as follows:
 
* Aug 29, 2007: Initial report from Rick King.
* Aug 29, 2007: First response from Samba developers confirming
  the bug along with a proposed patch.
* Sep 4, 2007: Announcement to vendor-sec mailing list.
* Sep 11, 2007: Public security advisory made available.
 
 
 
==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC