An integer overflow security issue with the Samba(7) smbd(1m) daemon may allow a local or remote authenticated user the ability to execute arbitrary commands with the privileges of Super User (typically root), on a Solaris 9 or Solaris 10 system running as a Samba(7) server.

More information on this issue is available at:

• CERT Vulnerability Note VU#226184 at: http://www.kb.cert.org/vuls/id/226184
• CVE CAN-2004-1154 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1154
• Samba Security Announcement at: http://www.samba.org/samba/security/CAN-2004-1154.html

This issue can occur in the following releases:

SPARC Platform

• Solaris 9 without patch 114684-05
• Solaris 10 without patch 119757-01

x86 Platform

• Solaris 9 without patch 114685-05
• Solaris 10 without patch 119758-01

Note: Solaris 7 and Solaris 8 do not include the Samba software and are not affected by this issues. Sun does include Samba on the Solaris Companion CD for Solaris 8 as an unsupported package which installs to "/opt/sfw" and is vulnerable to this issue. Sites using the freeware version of Samba from the Solaris Companion CD will need to upgrade to a later version from Samba.org.

This issue only occurs if all of the following conditions are true:

• The system is configured as a Samba server
• The version of Samba installed is 2.X through 3.0.9

To determine if a system is configured as a Samba server, use the following command to check for the presence of the smb.conf(4) file:

    % ls -l /etc/sfw/smb.conf     
    -rw-r--r--   1 root  other  11665 Sep 28 16:37 /etc/sfw/smb.conf

If the output is similar to that shown above, the system is configured as a Samba server.

To determine the version of Samba installed on a system, the following command can be run:

    % /usr/sfw/sbin/smbd -V      
    Version  3.0.4

Unsuccessful exploitation attempts may leave evidence of an attack in system logs.

To work around the described issue, download and compile samba 3.0.10 or higher from Samba.org

Follow the security suggestions from the samba team at: http://www.samba.org/samba/docs/server_security.html.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 9 with patch 114684-05 or later
• Solaris 10 with patch 119757-01 or later

x86 Platform

• Solaris 9 with patch 114685-05 or later
• Solaris 10 with patch 119757-01 or later

Change History

13-Jun-2005:

• Updated Product field
• Updated Contributing Factors and Resolution sections

• State: Resolved
• Updated Contributing Factors and Resolution sections

This solution has no attachment