SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Samba Vendors:   Samba.org
Samba Format String Bug in 'afsacl.so' VFS Plugin May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017588
SecurityTracker URL:  http://securitytracker.com/id/1017588
CVE Reference:   CVE-2007-0454   (Links to External Site)
Date:  Feb 5 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.6 - 3.0.23d
Description:   A vulnerability was reported in Samba in the AFS ACL mapping VFS plugin. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file name on the server's share to cause arbitrary code to be executed on the target system. The file name is used as the format string specifier when setting an NT security descriptor via the 'afsacl.so' VFS plugin.

Only systems that share AFS file systems to CIFS clients and that are configured (in the 'smb.conf' file) to load the 'afsacl.so' VFS module are affected.

The vendor was notified on January 8, 2007.

zybadawg333 at hushmail.com reported this vulnerability.

Impact:   A remote user can create a file that will cause arbitrary code to be executed on the target system.
Solution:   The vendor has issued a fixed version (3.0.24). Also, patches for version 3.0.23d are available at:

http://www.samba.org/samba/security

The Samba advisory is available at:

http://us1.samba.org/samba/security/CVE-2007-0454.html

Vendor URL:  us1.samba.org/samba/security/CVE-2007-0454.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS

This is a multi-part message in MIME format.
--------------040809010209040204060503
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:     Format string bug in afsacl.so VFS plugin.
== CVE ID#:     CVE-2007-0454
==
== Versions:    The AFS ACL mapping VFS plugin distributed
==		in Samba 3.0.6 - 3.0.23d (inclusive)
==
== Summary:     The name of a file on the server's share
==		is used as the format string when setting
==		an NT security descriptor through the
==		afsacl.so VFS plugin.
==
==========================================================

===========
Description
===========

NOTE: This security advisory only impacts Samba servers
that share AFS file systems to CIFS clients and which have
been explicitly instructed in smb.conf to load the afsacl.so
VFS module.

The source defect results in the name of a file stored on
disk being used as the format string in a call to snprintf().
This bug becomes exploitable only when a user is able
to write to a share which utilizes Samba's afsacl.so library
for setting Windows NT access control lists on files residing
on an AFS file system.


==================
Patch Availability
==================

A patch against Samba 3.0.23d has been attached to this
email.  This fix has be incorporated into the Samba 3.0.24
release.  Patches are also available from at the Samba Security
page (http://www.samba.org/samba/security).


==========
Workaround
==========

An unpatched server may be protected by removing all
references to the afsacl.so VFS module from shares in
smb.conf.


=======
Credits
=======

This vulnerability was reported (including a proposed patch)
to Samba developers by <zybadawg333@hushmail.com>.  Much thanks
to zybadawg333 for the cooperation and patience in the
announcement of this defect.  The time line is as follows:

* Jan 8, 2007: Defect first reported to the security@samba.org
  email alias.
* Jan 8, 2007: Initial developer response by Jeremy Allison
  confirming the issue.
* Jan 29, 2007: Announcement to vendor-sec mailing list
* Feb 5, 2007: Public issue of security advisory.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFxzBuIR7qMdg1EfYRAo60AJ0XPkH0pkfsmxIAVF1HxgqFl3qyXQCgzAg/
VdQre1squwORUgRaNA2F3rU=
=93rK
-----END PGP SIGNATURE-----

--------------040809010209040204060503
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
 name="afsacl.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="afsacl.patch"

diff -urN samba-3.0.23d/source/modules/vfs_afsacl.c samba/source/modules/vfs_afsacl.c
--- samba-3.0.23d/source/modules/vfs_afsacl.c	2006-06-23 08:16:50.000000000 -0500
+++ samba/source/modules/vfs_afsacl.c	2007-01-29 20:11:07.000000000 -0600
@@ -901,7 +901,7 @@
 	ZERO_STRUCT(dir_acl);
 	ZERO_STRUCT(file_acl);
 
-	pstr_sprintf(name, fsp->fsp_name);
+	pstrcpy(name, fsp->fsp_name);
 
 	if (!fsp->is_directory) {
 		/* We need to get the name of the directory containing the









--------------040809010209040204060503
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
 name="afsacl.patch.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="afsacl.patch.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQBFvrtvIR7qMdg1EfYRAqGvAJ4onsF4xrEJRULF8wELiui9gWtHJQCcD9Od
GLlJYcMRe3wLaXf5ddU7FPc=
=tb2W
-----END PGP SIGNATURE-----









--------------040809010209040204060503--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC