Samba vulnerabilities
Created 7/3/01
Impact
In some configurations, the Samba server could allow a
local user to append to arbitrary files, and a remote
attacker to avoid logging of failed connection attempts,
which could allow brute force attacks. In other
configurations, it could be possible for any attacker, local or remote,
to append to arbitrary files. This could easily be leveraged
to gain full root access to the system.
Background
Server Message Block (SMB)
is a network protocol native to Windows systems which allows sharing
of files and printers across a network. Samba
is a software package which implements the SMB
protocol on a variety of platforms, providing compatibility
with Windows systems.
Every computer which uses the SMB protocol,
is assigned a netbios name. This name is used to identify
the computer on the network for the purposes of resolving
SMB requests.
The Problem
The Samba server is often configured to log error messages in a file
whose name is determined by the netbios name of the client.
If this is the case, insufficient checking of the client's netbios name
by Samba could allow an attacker to change the path of the
log file. In the worst-case scenario, this could lead to remote
write access to arbitrary files, which could result in remote
root access. In other scenarios, this could lead to privilege
elevation by a local attacker, or the opportunity for a remote
attacker to perform brute-force password guessing attacks without
being logged.
Samba versions prior to 2.0.10 are affected by this vulnerability
if the log file name includes the netbios name (represented
by %m) in the configuration file. The Samba
configuration file is usually located in /etc/smb.conf
or /etc/samba/smb.conf. For example, if a Samba server prior
to version 2.0.10 is installed, and the
/etc/smb.conf file includes the following line:
log file = /var/log/samba/%m.log
then the server is vulnerable.
Resolution
Upgrade to Samba 2.0.x
version 2.0.10 or higher, or to version 2.2.0a or higher. Alternatively,
change the log file parameter in the Samba configuration
file such that the path name does not depend on any variables.
See SecurityFocus
for update information from specific vendors.
Where can I read more about this?
For more information on this vulnerability, see the
announcement
from Samba and the posting to Bugtraq.
Also see more information about SAMBA in general.