Samba flaw opens up root access attack
John McCormick
Published: 07 Apr 2003 09:49 BST
The SuSE Security Audit Team has reported that a vulnerability in the Samba suite -- which provides SMB-based file and printer sharing on many Linux and Unix systems -- can open up a system to a remote attack resulting in complete compromise of the system by giving the attacker "root" privileges.
Details
A ZDNet UK story on this vulnerability included a note from the co-author of Samba, Jeremy Allison, saying that the new version of Samba was rushed out because, "We know of one site that may have been compromised by this."
The Samba.org notice on this flaw reports that the newest version of Samba fixes this problem by adding "explicit over-run and overflow checks on fragment re-assembly of SMB/CIFS packets," which addresses this vulnerability.
A Debian GNU/Linux Security notice, DSA-262-1, says that the threats include:
- "A buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root, an attacker can use this to gain root access to a machine running smbd.
- "The code to write reg files was vulnerable for a chown race [chown is the Linux change ownership command], which made it possible for a local user to overwrite system files."
Mitre vulnerability candidate number CAN-2003-0085 describes the flaw as "a buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8 allows remote attackers to execute arbitrary code."
Mitre vulnerability candidate CAN-2003-0086 is a reg file vulnerability that "allows local users to overwrite arbitrary files via a race condition involving chown" in older Samba versions.
Applicability
Samba 2.0.x to 2.2.7a all include this vulnerability. CERT Vulnerability Note VU#298233 lists a number of vendor products that are vulnerable to this Samba flaw and states that Openwall GNU/*/Linux, Fujitsu, and Ingrian products are not vulnerable.
Apple's advisory on this problem says, "Samba is not enabled by default with Mac OS X and Mac OS X Server." Apple says that it does have plans to issue a patch for version 10.2.4.
Risk level--serious
Because this flaw can result in root (administrator) access and can be exploited remotely, it needs to be taken very seriously by administrators who have Samba running on their networks.
Fix
The Samba team recommends that users immediately upgrade to version 2.2.8. The source code is located at download.samba.org/samba/ftp/ in samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2. When available, binary packages will be posted at download.samba.org/samba/ftp/Binary_Packages/. Alternatively, managers can simply block access to TCP ports 139 and 445.
Previous
Did you find this article useful?
140 out of 274 people found this useful
- Share this article:
