Enterprise Linux Log

May 14 2007   9:29AM GMT

Samba team issues security patches

ITKE ITKE Profile: ITKE

A trio of Samba security vulnerabilities dropped into my inbox today. The first:

This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the “username map script” smb.conf option (which is not enabled by default).

After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the “username map script”
vulnerability, the remote file and printer management scripts require an authenticated user session.

The second:

When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon’s internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server.

The third:

Various bugs in Samba’s NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data.

A patch against Samba 3.0.23d/3.0.24 has posted at http://www.samba.org/samba/security/

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: