#200980: Security Vulnerabilities in Samba May Allow Unauthorized Root Privileges

Security Vulnerabilities in Samba May Allow Unauthorized Root Privileges

Category :	Security
Release Phase :	Resolved
Product :	Solaris 9 Operating System Solaris 10 Operating System
Bug Id :	5080288, 6203085
Date of Workaround Release :	25-OCT-2004
Date of Resolved Release :	06-JAN-2005

Impact

Security vulnerabilities in Samba may result in one or both of the following issues:

1. A buffer overflow may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of Super User (typically root) on a Solaris 9 or Solaris 10 system running as a Samba server.

This issue is referenced in the following document:

CAN-2004-0686 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686

2. A security vulnerability may allow a remote unprivileged user the ability to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames.

This issue is referenced in the following document:

CAN-2004-0815 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0815

Contributing Factors

The first issue described above can occur in the following releases:

SPARC Platform

Solaris 9 without patch 114684-03
Solaris 10 without patch 119757-01

x86 Platform

Solaris 9 without patch 114685-03
Solaris 10 without patch 119758-01

The second issue described above can occur in the following releases:

SPARC Platform

Solaris 9 without patch 114684-03

x86 Platform

Solaris 9 without patch 114685-03

Note: Solaris 7 and Solaris 8 do not include the Samba software and are not affected by these issues. Sun does include Samba on the Solaris Companion CD for Solaris 8 as an unsupported package which installs to "/opt/sfw" and is vulnerable to this issue. Sites using the freeware version of Samba from the Solaris Companion CD will need to upgrade to a later version from Samba.org.

Issue 1 described above only occurs if all of the following conditions are true:

The system is configured as a Samba server
The version of Samba installed is 2.2.0 through 2.2.9 or 3.0.0 through 3.0.4
The server is configured to use the "hash" mangling method. (This is the default configuration for Samba 2.2.x only)

Issue 2 described above only occurs if all of the following conditions are true:

The system is configured as a Samba server.
The version of Samba installed is 2.2.0 through 2.2.11 or 3.0.0 through 3.0.2.
The server is configured with the "wide links" option set to "yes" for any or all shares (This is the default configuration).

To determine if a system is configured as a Samba server, use the following command to check for the presence of the smb.conf(4) file:

    % ls -l /etc/sfw/smb.conf
    -rw-r--r--   1 root     other      11665 Sep 28 16:37 /etc/sfw/smb.conf

If the output is similar to that shown above, the system is configured as a Samba server.

To determine the version of Samba installed on a system, the following command can be run:

    % /usr/sfw/sbin/smbd -V
    Version 2.2.8a

To determine if the server is configured to use the "hash" mangling method, the following command can be run:

    % grep 'mangling method' /etc/sfw/smb.conf

If the output is either of the following, then the system is vulnerable:

"mangling method = hash"
There is no output AND the Samba version is 2.2.x

Note: For Samba 2.2.x the default is "mangling method = hash". If this has not been changed, there will be no entry in the "/etc/sfw/smb.conf" file for "mangling method".

To determine if the server is configured with the "wide links" option set to "yes", the following command can be run:

    % grep 'wide links' /etc/sfw/smb.conf

If the output is either of the following, then the system is vulnerable:

There is no output.
"wide links = yes"

Note: For all versions of Samba the default is "wide links = yes". If this has not been changed, there will be no entry in the "/etc/sfw/smb.conf" file for "wide links".

Symptoms

There are no predictable symptoms that would indicate the described issues has been exploited.

Workaround

For Issue 1 described above:

Servers which are configured to use the "hash2" mangling method are unaffected by this issue. As a result, this issue can be avoided by modifying or adding the following "mangling method" line to smb.conf(4):

    mangling method = hash2

For Issue 2 described above:

Samba shares which are configured with the "wide links" option set to "no" are unaffected by this issue. As a result, this issue can be avoided by modifying or adding the following line to smb.conf(4) (note that all instances of this line in smb.conf(4) must be modified if they exist):

    wide links = no

Resolution

These issues are addressed in the following releases:

SPARC Platform

Solaris 9 with patch 114684-03 or later
Solaris 10 with patch 119757-01 or later

x86 Platform

Solaris 9 with patch 114685-03 or later
Solaris 10 with patch 119758-01 or later

Modification History

Date: 06-JAN-2005

Change History

State: Resolved
Added BugID
Updated Contributing Factors and Resolution sections

Date: 10-JAN-2005

Updated Contributing Factors and Relief/Workaround sections

Date: 13-JUN-2005

Updated Product field
Updated Contributing Factors and Resolution sections

Attachments

This solution has no attachment

Change History

Login Required

Login Required