Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 177029 - net-fs/samba Privilege escalation (CVE-2007-{2444|2446|2447|}) Vendor-Sec
Summary: net-fs/samba Privilege escalation (CVE-2007-{2444|2446|2447|}) Vendor-Sec
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker (vote)
Assignee: Gentoo Security
URL: http://news.samba.org/
Whiteboard: B0? [glsa] jaervosz
Keywords:
: 178617 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-05-04 13:16 UTC by Sune Kloppenborg Jeppesen
Modified: 2020-03-28 23:11 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
3.0.24-sid2name_elevation.patch (3.0.24-sid2name_elevation.patch,2.96 KB, patch)
2007-05-04 13:20 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
samba-3.0.24-r2.ebuild (samba-3.0.24-r2.ebuild,8.27 KB, text/plain)
2007-05-04 17:56 UTC, Tiziano Müller
no flags Details
3.0.24-shell_escape.patch (3.0.24-shell_escape.patch,6.09 KB, patch)
2007-05-11 07:37 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
3.0.24-heap_overflow.patch (3.0.24-heap_overflow.patch,8.23 KB, patch)
2007-05-11 07:40 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
samba-3.0.24-r2.ebuild (samba-3.0.24-r2.ebuild,8.36 KB, text/plain)
2007-05-11 19:15 UTC, Tiziano Müller
no flags Details
3.0.24-shell_escape.patch (3.0.24-shell_escape.patch,6.09 KB, patch)
2007-05-12 09:18 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-05-04 13:16:56 UTC
==========================================================
==
== Subject:     Local SID/Name translation bug can result
==              in user privilege elevation
== CVE ID#:     TBD
==
== Versions:    Samba 3.0.23d - 3.0.25pre2 (inclusive)
==
== Summary:     A bug in the local SID/Name translation
==              routines may potentially result in a user
==              being able to issue SMB/CIFS protocol
==              operations as root.
==
==========================================================

===========
Description
===========

When translating SIDs to/from names using Samba local
list of user and group accounts, a logic error in the
smbd daemon's internal security stack may result in a
transition to the root user id rather than the non-root
user.  The user is then able to temporarily issue SMB/CIFS
protocol operations as the root user.  This window of
opportunity may allow the attacker to establish addition
means of gaining root access to the server.


==================
Patch Availability
==================

A patch against Samba 3.0.23d/3.0.24 has been attached to
this email.  At the time of public disclosure, the patch
will be posted to http://www.samba.org/samba/security/.


==========
Workaround
==========

There is no immediate workaround for this defect that does
not involve changing the server code in the smbd daemon.
The Samba Team always encourages users to run the latest
stable release as a defense against attacks.  If this
is not immediately possible, administrators should read
the "Server Security" documentation found at

  http://www.samba.org/samba/docs/server_security.html


=======
Credits
=======

This vulnerability was reported to Samba developers by Paul
Griffith <paulg@cse.yorku.ca> and Andrew Hogue.  Much thanks
to Paul and Andrew for their cooperation and patience in the
announcement of this defect.  Thanks also to Samba developers
James Peach and Jeremy Allison for the analysis and resolution
of this issue.

The time line is as follows:

* March 20, 2007: Defect first reported to the security@samba.org
  email alias.
* March 30, 2007: Initial developer response by Gerald Carter.
* April 4, 2007: Patch released to bug reporter for testing.
* April 9, 2007: Fixed confirmed by original reporter.
* May 3, 2007: Announcement to vendor-sec mailing list
* May 14, 2007: Proposed date for public announcement of the
  security issue.



==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-04 13:20:27 UTC
Created attachment 118137 [details, diff]
3.0.24-sid2name_elevation.patch
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-04 13:22:34 UTC
Tiziano please attach an updated ebuild to this bug and we will call arch security liaisons for testing. 

Do NOT commit anything to Portage yet. 

If you have any questions about how security bugs like this are handled just ask here or mail me. If you want someone else from the samba team to deal with this please CC them.
Comment 3 Tiziano Müller gentoo-dev 2007-05-04 17:56:00 UTC
Created attachment 118165 [details]
samba-3.0.24-r2.ebuild

This is the updated ebuild as requested.
The patch has to be named "3.0.24-sid2name_elevation.patch".
Tested on x86 (unstable).

... and there IS nobody else in the samba team :-)
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-05 06:46:00 UTC
Thx for the quick response Tiziano.

Arch security liaisons please test and report back on this bug. Please do NOT commit anything yet.
Comment 5 Jeroen Roovers gentoo-dev 2007-05-05 12:09:43 UTC
Works for hppa.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-05-05 13:50:45 UTC
looks good on ppc64, too
Comment 7 Joshua Jackson (RETIRED) gentoo-dev 2007-05-05 20:45:24 UTC
x86 looks good
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-07 12:33:29 UTC
looks good on sparc.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-08 14:57:39 UTC
looks ok on ppc
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-11 07:34:01 UTC
Back to preebuild since more issues popped up.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-11 07:37:20 UTC
==========================================================
==
== Subject:     Unescaped user input parameters are passed
==              as arguments to /bin/sh allowing for remote
==              command execution
== CVE ID#:     CVE-2007-2447
==
== Versions:    Samba 3.0.0 - 3.0.25rc3 (inclusive)
==
== Summary:
==
==========================================================

===========
Description
===========

This bug was originally reported against the anonymous calls
to the SamrChangePassword() MS-RPC function in combination
with the "username map script" smb.conf option (which is not
enabled by default).

After further investigation by Samba developers, it was
determined that the problem was much broader and impacts
remote printer and file share management as well.  The root
cause is passing unfiltered user input provided via MS-RPC
calls to /bin/sh when invoking externals scripts defined
in smb.conf.  However, unlike the "username map script"
vulnerability, the remote file and printer management scripts
require an authenticated user session.


==================
Patch Availability
==================

A patch against Samba 3.0.24 has been attached to
this email.  At the time of public disclosure, the patch
will be posted to http://www.samba.org/samba/security/.
Back ports of the patch to to Samba 2.2.12, 3.0.9, and
3.0.10 are available upon request thanks to Samba/RedHat
developer Simo Sorce <idra@samba.org>.


==========
Workaround
==========

This defect may be alleviated by removing all defined
external script invocations (username map script, add
printer command, etc...) from smb.conf.

The Samba Team always encourages users to run the latest
stable release as a defense against attacks.  If this
is not immediately possible, administrators should read
the "Server Security" documentation found at

  http://www.samba.org/samba/docs/server_security.html


=======
Credits
=======

This vulnerability was reported to Samba developers by
Joshua J. Drake, iDefense Labs (http://www.idefense.com/),
as part of their Vulnerability Contributor Program.

The time line is as follows:

* May 7, 2007: Initial defect disclosure to the security@samba.org
  email alias.
* May 7, 2007: Initial developer response by Samba
  developer Gerald Carter.
* May 9, 2007: Patch released by Samba developer Jeremy Allison
  to iDefense for testing.
* May 10, Announcement to vendor-sec mailing list
* May 14, 2007: Proposed date for public announcement of the
  security issue.



==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-11 07:37:28 UTC
Created attachment 118832 [details, diff]
3.0.24-shell_escape.patch

Upstream fix for CVE-2007-2447.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-11 07:39:00 UTC
==========================================================
==
== Subject:     Multiple Heap Overflows Allow Remote
==              Code Execution
== CVE ID#:     CVE-2007-2446
==
== Versions:    Samba 3.0.0 - 3.0.25rc3 (inclusive)
==
== Summary:     Various bugs in Samba's NDR parsing
==              can allow a user to send specially
==              crafted MS-RPC requests that will
==              overwrite the heap space with user
==              defined data.
==
==========================================================

===========
Description
===========

Various bugs in Samba's NDR parsing can allow a user
to send specially crafted MS-RPC requests that will
overwrite the heap space with user defined data.


==================
Patch Availability
==================

A patch against Samba 3.0.24 has been attached to
this email.  At the time of public disclosure, the patch
will be posted to http://www.samba.org/samba/security/.
Back ports of the patch to to Samba 2.2.12, 3.0.9, and
3.0.10 are available upon request thanks to Samba/RedHat
developer Simo Sorce <idra@samba.org>.


==========
Workaround
==========

There is no immediate workaround for this defect that does
not involve changing the server code in the smbd daemon.
The Samba Team always encourages users to run the latest
stable release as a defense against attacks.  If this
is not immediately possible, administrators should read
the "Server Security" documentation found at

  http://www.samba.org/samba/docs/server_security.html


=======
Credits
=======

This vulnerability was reported to Samba developers by
Brian Schafer, TippingPoint Security Response Lead, as part
of the Zero Day Initiative (http://www.zerodayinitiative.com).

The time line is as follows:

* April 25, 2007: Four individual defects reported to the
  security@samba.org email alias.
* April 25, 2007: Initial developer response by Samba
  developer Volker Lendecke.
* April 28, 2007: Patches for four defects released by
  Samba developer Jeremy Allison to ZDI for testing.
* May 3, 2007: Fixed confirmed by original reporter.
* May 5, 2007: Fifth defect reported to security@samba.org.
* May 5, 2007: Patches for fifth defects released to ZDI
  for testing by Samba developer Jeremy Allison.
* May 10, Announcement to vendor-sec mailing list
* May 14, 2007: Proposed date for public announcement of the
  security issue.



==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-11 07:40:39 UTC
Created attachment 118834 [details, diff]
3.0.24-heap_overflow.patch

Upstream fix for CVE-2007-2446.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-11 07:43:02 UTC
Tiziano please attach an updated ebuild. Do NOT commit anything yet.
Comment 16 Tiziano Müller gentoo-dev 2007-05-11 19:15:15 UTC
Created attachment 118896 [details]
samba-3.0.24-r2.ebuild

Updated ebuild as requested. No revision bump.
Patches apply. Tests were successfully on ~x86.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-12 09:13:28 UTC
Thx again for the quick response Tiziano.

Arch security liaisons please test the updated ebuild and report back on this bug. Please do NOT commit anything yet.

Note release date is two days away.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-12 09:18:13 UTC
Created attachment 118971 [details, diff]
3.0.24-shell_escape.patch

Updated patches from upstream:

Apologies but we found a problem caused by the backport to
3.0.24.  The problem was a return value of -11 on string
conversion failures rather than -1.  The result was an
immediate crash.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-12 09:19:55 UTC
Tiziano please update ebuild.

Release date is getting close so I'm not removing arch security liaisons from CC.
Comment 20 Tiziano Müller gentoo-dev 2007-05-13 14:58:35 UTC
@jaervosz: Sorry, but I can't do it. My machine is completely broken due to a harddrive failure. Since there's nobody else in the team, you'll have to find someone else to do the actual commit.
@arch-team-meambers: Just use the new patch together with the already committed ebuild, it should work without problems.
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-14 11:44:18 UTC
Arch security liaisons please give this a test, disclosure is getting close.
Comment 22 Tiziano Müller gentoo-dev 2007-05-14 14:13:46 UTC
The bugs have been announced today (on the samba website), together with the announcement of version 3.0.25.
Comment 23 Markus Rothe (RETIRED) gentoo-dev 2007-05-14 14:49:35 UTC
looks good on ppc64.
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-14 15:00:01 UTC
Opening bug since this is public now.

Arches please test and mark stable.

NOTE: The first arch to test have to commit the ebuild and patches as Tiziano is unable to do it as per comment #20 (and I don't have x86 commit rights).

Target keywords are:
samba-3.0.24-r2.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 25 Markus Rothe (RETIRED) gentoo-dev 2007-05-14 15:19:45 UTC
added ebuild/patches and marked stable on ppc64.
Comment 26 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-14 15:22:43 UTC
Thx Markus.
Comment 27 Jeroen Roovers gentoo-dev 2007-05-14 15:38:36 UTC
(In reply to comment #25)
> added ebuild/patches and marked stable on ppc64.

Thanks for keywording hppa as well. I guess this was not intentional, but HPPA is good to go anyway. That keyword seems to have been left in the attached ebuild somehow.
Comment 28 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-14 15:50:37 UTC
sparc stable.
Comment 29 Joshua Jackson (RETIRED) gentoo-dev 2007-05-14 17:11:29 UTC
x86 stable.
Comment 30 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-14 17:24:23 UTC
ppc stable
Comment 31 Raúl Porcel (RETIRED) gentoo-dev 2007-05-14 17:29:14 UTC
ia64 stable
Comment 32 Jakub Moc (RETIRED) gentoo-dev 2007-05-15 09:25:52 UTC
*** Bug 178617 has been marked as a duplicate of this bug. ***
Comment 33 Christian Faulhammer (RETIRED) gentoo-dev 2007-05-15 09:48:02 UTC
amd64 stable
Comment 34 Raúl Porcel (RETIRED) gentoo-dev 2007-05-15 12:39:21 UTC
alpha stable, sorry for the delay.
Comment 35 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-15 14:27:53 UTC
GLSA 200705-15