Samba Common Internet File System (CIFS) Lets Remote Users Obtain Root Level Access
|
|
SecurityTracker Alert ID: 1001826 |
|
SecurityTracker URL: http://securitytracker.com/id/1001826
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 23 2001
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, Root access via local system, Root access via network
|
Vendor Confirmed: Yes
|
|
Description:
A security vulnerability has been reported in all versions of Samba that allows a remote user or a local user to gain root access on the server under certain types of common Samba configurations.
It is reported that a remote user can use a NETBIOS name containing unix path characters which will then be substituted into the %m macro wherever it occurs in smb.conf. This can be used to cause Samba to create a log file that overwrites a critical system file, which in turn can be used to compromise security on the server.
Samba.org reports that the most commonly used configuration option that can be vulnerable is the "log file" option. The default value for this option is reported to be VARDIR/log.smbd and if the default is used, then Samba is not vulnerable (with a certain exception for users that have a subdirectory in /var/log/samba/ which starts with the prefix "log.").
The security vulnerability reportedly can be triggered when a log file option like the following configuration is used:
log file = /var/log/samba/%m.log
In this case, a local user can create a symbolic link to overwrite any file on the system.
If the following type of configuration is used, then the vulnerability can be triggered remotely:
log file = /var/log/samba/%m
In this case, a remote user can overwrite a file (no symbolic link is required). Samba.org reports that this type of configuration is very rare.
|
Impact:
A local or remote user can obtain root level privileges on the server.
|
Solution:
The vendor will reportedly release a fix within 24 hours. The vendor recommends an immediate modification:
"Edit your smb.conf configuration file and remove all occurances of the macro "%m". Replacing occurances of %m with %I is probably the best solution for most sites."
|
Vendor URL: www.samba.org/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Any), MPE/iX (HP), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 22 Jun 2001 22:28:24 -0400
Subject: [cobalt-security] Fw: URGENT: Samba security hole
|
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> IMPORTANT: Security bugfix for Samba
> ------------------------------------
>
> June 23rd 2001
>
>
> Summary
> - -------
>
> A serious security hole has been discovered in all versions of Samba
> that allows an attacker to gain root access on the target machine for
> certain types of common Samba configuration.
>
> The immediate fix is to edit your smb.conf configuration file and
> remove all occurances of the macro "%m". Replacing occurances of %m
> with %I is probably the best solution for most sites.
>
> Details
> - -------
>
> A remote attacker can use a netbios name containing unix path
> characters which will then be substituted into the %m macro wherever
> it occurs in smb.conf. This can be used to cause Samba to create a log
> file on top of an important system file, which in turn can be used to
> compromise security on the server.
>
> The most commonly used configuration option that can be vulnerable to
> this attack is the "log file" option. The default value for this
> option is VARDIR/log.smbd. If the default is used then Samba is not
> vulnerable to this attack.
>
> The security hole occurs when a log file option like the following is
> used:
>
> log file = /var/log/samba/%m.log
>
> In that case the attacker can use a locally created symbolic link to
> overwrite any file on the system. This requires local access to the
> server.
>
> If your Samba configuration has something like the following:
>
> log file = /var/log/samba/%m
>
> Then the attacker could successfully compromise your server remotely
> as no symbolic link is required. This type of configuration is very
> rare.
>
> The most commonly used log file configuration containing %m is the one
> distributed in the sample configuration file that comes with Samba:
>
> log file = /var/log/samba/log.%m
>
> in that case your machine is not vulnerable to this attack unless you
> happen to have a subdirectory in /var/log/samba/ which starts with the
> prefix "log."
>
> New Release
> - -----------
>
> While we recommend that vulnerable sites immediately change their
> smb.conf configuration file to prevent the attack we will also be
> making new releases of Samba within the next 24 hours to properly fix
> the problem. Please see http://www.samba.org/ for the new releases.
>
> Please report any attacks to the appropriate authority.
>
> The Samba Team
> security@samba.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard
<http://www.gnupg.org/>
>
> iD8DBQE7M+Gobf9zMVhTZ5ERAoVvAJ9CX93rSHbEyPD95mS3C5XaQXx5RgCfeOIx
> bKPS2xD1L8C0mlr6y5i8uBo=
> =M/K7
> -----END PGP SIGNATURE-----
>
>
_______________________________________________
cobalt-security mailing list
cobalt-security@list.cobalt.com
http://list.cobalt.com/mailman/listinfo/cobalt-security
|
|
