Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   Samba Vendors:
Samba SID/Name Translation Bug Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1018049
SecurityTracker URL:
CVE Reference:   CVE-2007-2444   (Links to External Site)
Date:  May 14 2007
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.23d - 3.0.25pre2
Description:   A vulnerability was reported in Samba. A local user can obtain root privileges on the target system.

The server does not properly translate SIDs to/from names when using a Samba local list of user and group accounts. A local user can issue SMB/CIFS protocol operations with root privileges. This allows the local user to obtain root privileges on the target system.

The vendor was notified on March 20, 2007.

Paul Griffith and Andrew Hogue discovered this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued a patch for 3.0.23d/3.0.24, available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 21 2007 (HP Issues Fix for Tru64) Samba SID/Name Translation Bug Lets Local Users Gain Root Privileges
HP has issued a fix for HP Internet Express for Tru64 UNIX.

 Source Message Contents

Subject:  [SAMBA-SECURITY] CVE-2007-2444: Local SID/Name Translation Failure

Hash: SHA1

== Subject:     Local SID/Name translation bug can result
==              in user privilege elevation
== CVE ID#:     CVE-2007-2444
== Versions:    Samba 3.0.23d - 3.0.25pre2 (inclusive)
== Summary:     A bug in the local SID/Name translation
==              routines may potentially result in a user
==              being able to issue SMB/CIFS protocol
==              operations as root.


When translating SIDs to/from names using Samba local
list of user and group accounts, a logic error in the
smbd daemon's internal security stack may result in a
transition to the root user id rather than the non-root
user.  The user is then able to temporarily issue SMB/CIFS
protocol operations as the root user.  This window of
opportunity may allow the attacker to establish additional
means of gaining root access to the server.

Patch Availability

A patch against Samba 3.0.23d/3.0.24 has posted at


There is no immediate workaround for this defect that does
not involve changing the server code in the smbd daemon.
The Samba Team always encourages users to run the latest
stable release as a defense against attacks.  If this
is not immediately possible, administrators should read
the "Server Security" documentation found at


This vulnerability was reported to Samba developers by Paul
Griffith <> and Andrew Hogue.  Much thanks
to Paul and Andrew for their cooperation and patience in the
announcement of this defect.  Thanks also to Samba developers
James Peach and Jeremy Allison for the analysis and resolution
of this issue.

The time line is as follows:

* March 20, 2007: Defect first reported to the
  email alias.
* March 30, 2007: Initial developer response by Gerald Carter.
* April 4, 2007: Patch released to bug reporter for testing.
* April 9, 2007: Fixed confirmed by original reporter.
* May 3, 2007: Announcement to vendor-sec mailing list
* May 14, 2007: Public announcement of the security issue.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC