========================================================== == == Subject: Local SID/Name translation bug can result == in user privilege elevation == CVE ID#: TBD == == Versions: Samba 3.0.23d - 3.0.25pre2 (inclusive) == == Summary: A bug in the local SID/Name translation == routines may potentially result in a user == being able to issue SMB/CIFS protocol == operations as root. == ========================================================== =========== Description =========== When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. ================== Patch Availability ================== A patch against Samba 3.0.23d/3.0.24 has been attached to this email. At the time of public disclosure, the patch will be posted to http://www.samba.org/samba/security/. ========== Workaround ========== There is no immediate workaround for this defect that does not involve changing the server code in the smbd daemon. The Samba Team always encourages users to run the latest stable release as a defense against attacks. If this is not immediately possible, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html ======= Credits ======= This vulnerability was reported to Samba developers by Paul Griffith <paulg@cse.yorku.ca> and Andrew Hogue. Much thanks to Paul and Andrew for their cooperation and patience in the announcement of this defect. Thanks also to Samba developers James Peach and Jeremy Allison for the analysis and resolution of this issue. The time line is as follows: * March 20, 2007: Defect first reported to the security@samba.org email alias. * March 30, 2007: Initial developer response by Gerald Carter. * April 4, 2007: Patch released to bug reporter for testing. * April 9, 2007: Fixed confirmed by original reporter. * May 3, 2007: Announcement to vendor-sec mailing list * May 14, 2007: Proposed date for public announcement of the security issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Created attachment 118137 [details, diff] 3.0.24-sid2name_elevation.patch
Tiziano please attach an updated ebuild to this bug and we will call arch security liaisons for testing. Do NOT commit anything to Portage yet. If you have any questions about how security bugs like this are handled just ask here or mail me. If you want someone else from the samba team to deal with this please CC them.
Created attachment 118165 [details] samba-3.0.24-r2.ebuild This is the updated ebuild as requested. The patch has to be named "3.0.24-sid2name_elevation.patch". Tested on x86 (unstable). ... and there IS nobody else in the samba team :-)
Thx for the quick response Tiziano. Arch security liaisons please test and report back on this bug. Please do NOT commit anything yet.
Works for hppa.
looks good on ppc64, too
x86 looks good
looks good on sparc.
looks ok on ppc
Back to preebuild since more issues popped up.
========================================================== == == Subject: Unescaped user input parameters are passed == as arguments to /bin/sh allowing for remote == command execution == CVE ID#: CVE-2007-2447 == == Versions: Samba 3.0.0 - 3.0.25rc3 (inclusive) == == Summary: == ========================================================== =========== Description =========== This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the "username map script" smb.conf option (which is not enabled by default). After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the "username map script" vulnerability, the remote file and printer management scripts require an authenticated user session. ================== Patch Availability ================== A patch against Samba 3.0.24 has been attached to this email. At the time of public disclosure, the patch will be posted to http://www.samba.org/samba/security/. Back ports of the patch to to Samba 2.2.12, 3.0.9, and 3.0.10 are available upon request thanks to Samba/RedHat developer Simo Sorce <idra@samba.org>. ========== Workaround ========== This defect may be alleviated by removing all defined external script invocations (username map script, add printer command, etc...) from smb.conf. The Samba Team always encourages users to run the latest stable release as a defense against attacks. If this is not immediately possible, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html ======= Credits ======= This vulnerability was reported to Samba developers by Joshua J. Drake, iDefense Labs (http://www.idefense.com/), as part of their Vulnerability Contributor Program. The time line is as follows: * May 7, 2007: Initial defect disclosure to the security@samba.org email alias. * May 7, 2007: Initial developer response by Samba developer Gerald Carter. * May 9, 2007: Patch released by Samba developer Jeremy Allison to iDefense for testing. * May 10, Announcement to vendor-sec mailing list * May 14, 2007: Proposed date for public announcement of the security issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Created attachment 118832 [details, diff] 3.0.24-shell_escape.patch Upstream fix for CVE-2007-2447.
========================================================== == == Subject: Multiple Heap Overflows Allow Remote == Code Execution == CVE ID#: CVE-2007-2446 == == Versions: Samba 3.0.0 - 3.0.25rc3 (inclusive) == == Summary: Various bugs in Samba's NDR parsing == can allow a user to send specially == crafted MS-RPC requests that will == overwrite the heap space with user == defined data. == ========================================================== =========== Description =========== Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. ================== Patch Availability ================== A patch against Samba 3.0.24 has been attached to this email. At the time of public disclosure, the patch will be posted to http://www.samba.org/samba/security/. Back ports of the patch to to Samba 2.2.12, 3.0.9, and 3.0.10 are available upon request thanks to Samba/RedHat developer Simo Sorce <idra@samba.org>. ========== Workaround ========== There is no immediate workaround for this defect that does not involve changing the server code in the smbd daemon. The Samba Team always encourages users to run the latest stable release as a defense against attacks. If this is not immediately possible, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html ======= Credits ======= This vulnerability was reported to Samba developers by Brian Schafer, TippingPoint Security Response Lead, as part of the Zero Day Initiative (http://www.zerodayinitiative.com). The time line is as follows: * April 25, 2007: Four individual defects reported to the security@samba.org email alias. * April 25, 2007: Initial developer response by Samba developer Volker Lendecke. * April 28, 2007: Patches for four defects released by Samba developer Jeremy Allison to ZDI for testing. * May 3, 2007: Fixed confirmed by original reporter. * May 5, 2007: Fifth defect reported to security@samba.org. * May 5, 2007: Patches for fifth defects released to ZDI for testing by Samba developer Jeremy Allison. * May 10, Announcement to vendor-sec mailing list * May 14, 2007: Proposed date for public announcement of the security issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Created attachment 118834 [details, diff] 3.0.24-heap_overflow.patch Upstream fix for CVE-2007-2446.
Tiziano please attach an updated ebuild. Do NOT commit anything yet.
Created attachment 118896 [details] samba-3.0.24-r2.ebuild Updated ebuild as requested. No revision bump. Patches apply. Tests were successfully on ~x86.
Thx again for the quick response Tiziano. Arch security liaisons please test the updated ebuild and report back on this bug. Please do NOT commit anything yet. Note release date is two days away.
Created attachment 118971 [details, diff] 3.0.24-shell_escape.patch Updated patches from upstream: Apologies but we found a problem caused by the backport to 3.0.24. The problem was a return value of -11 on string conversion failures rather than -1. The result was an immediate crash.
Tiziano please update ebuild. Release date is getting close so I'm not removing arch security liaisons from CC.
@jaervosz: Sorry, but I can't do it. My machine is completely broken due to a harddrive failure. Since there's nobody else in the team, you'll have to find someone else to do the actual commit. @arch-team-meambers: Just use the new patch together with the already committed ebuild, it should work without problems.
Arch security liaisons please give this a test, disclosure is getting close.
The bugs have been announced today (on the samba website), together with the announcement of version 3.0.25.
looks good on ppc64.
Opening bug since this is public now. Arches please test and mark stable. NOTE: The first arch to test have to commit the ebuild and patches as Tiziano is unable to do it as per comment #20 (and I don't have x86 commit rights). Target keywords are: samba-3.0.24-r2.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
added ebuild/patches and marked stable on ppc64.
Thx Markus.
(In reply to comment #25) > added ebuild/patches and marked stable on ppc64. Thanks for keywording hppa as well. I guess this was not intentional, but HPPA is good to go anyway. That keyword seems to have been left in the attached ebuild somehow.
sparc stable.
x86 stable.
ppc stable
ia64 stable
*** Bug 178617 has been marked as a duplicate of this bug. ***
amd64 stable
alpha stable, sorry for the delay.
GLSA 200705-15