blob: b2bb4efdd3eac629f301c49367682597bd0b8192 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
WHATS NEW IN Samba 2.2.0a: 23rd June 2001
==========================================
SECURITY FIX
============
This is a security bugfix release for Samba 2.2.0. This release provides the
following two changes *ONLY* from the 2.2.0 release.
1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
and described in the security advisory below.
2). Fix for the hosts allow/hosts deny parameters not being honoured.
No other changes are being made for this release to ensure a security fix only.
For new functionality (including these security fixes) download Samba 2.2.1
when it is available.
The security advisory follows :
IMPORTANT: Security bugfix for Samba
------------------------------------
June 23rd 2001
Summary
-------
A serious security hole has been discovered in all versions of Samba
that allows an attacker to gain root access on the target machine for
certain types of common Samba configuration.
The immediate fix is to edit your smb.conf configuration file and
remove all occurances of the macro "%m". Replacing occurances of %m
with %I is probably the best solution for most sites.
Details
-------
A remote attacker can use a netbios name containing unix path
characters which will then be substituted into the %m macro wherever
it occurs in smb.conf. This can be used to cause Samba to create a log
file on top of an important system file, which in turn can be used to
compromise security on the server.
The most commonly used configuration option that can be vulnerable to
this attack is the "log file" option. The default value for this
option is VARDIR/log.smbd. If the default is used then Samba is not
vulnerable to this attack.
The security hole occurs when a log file option like the following is
used:
log file = /var/log/samba/%m.log
In that case the attacker can use a locally created symbolic link to
overwrite any file on the system. This requires local access to the
server.
If your Samba configuration has something like the following:
log file = /var/log/samba/%m
Then the attacker could successfully compromise your server remotely
as no symbolic link is required. This type of configuration is very
rare.
The most commonly used log file configuration containing %m is the
distributed in the sample configuration file that comes with Samba:
log file = /var/log/samba/log.%m
in that case your machine is not vulnerable to this attack unless you
happen to have a subdirectory in /var/log/samba/ which starts with the
prefix "log."
Credit
------
Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
vulnerability.
New Release
-----------
While we recommend that vulnerable sites immediately change their
smb.conf configuration file to prevent the attack we will also be
making new releases of Samba within the next 24 hours to properly fix
the problem. Please see http://www.samba.org/ for the new releases.
Please report any attacks to the appropriate authority.
The Samba Team
security@samba.org
---------------------------------------------------------------------------
The release notes for 2.2.0 follow :
This is the official Samba 2.2.0 release. This version of Samba provides
the following new features and enhancements.
Integration between Windows oplocks and NFS file opens (IRIX and Linux
2.4 kernel only). This gives complete data and locking integrity between
Windows and UNIX file access to the same data files.
Ability to act as an authentication source for Windows 2000 clients as
well as for NT4.x clients.
Integration with the winbind daemon that provides a single
sign on facility for UNIX servers in Windows 2000/NT4 networks
driven by a Windows 2000/NT4 PDC. winbind is not included in
this release, it currently must be obtained separately. We are
committed to including winbind in a future Samba 2.2.x release.
Support for native Windows 2000/NT4 printing RPCs. This includes
support for automatic printer driver download.
Support for server supported Access Control Lists (ACLs).
This release contains support for the following filesystems:
Solaris 2.6+
SGI Irix
Linux Kernel with ACL patch from http://acl.bestbits.at
Linux Kernel with XFS ACL support.
Caldera/SCO UnixWare
IBM AIX
FreeBSD (with external patch)
Other platforms will be supported as resources are
available to test and implement the encessary modules. If
you are interested in writing the support for a particular
ACL filesystem, please join the samba-technical mailing
list and coordinate your efforts.
On PAM (Pluggable Authentication Module) based systems - better debugging
messages and encrypted password users now have access control verified via
PAM - Note: Authentication still uses the encrypted password database.
Rewritten internal locking semantics for more robustness.
This release supports full 64 bit locking semantics on all
(even 32 bit) platforms. SMB locks are mapped onto POSIX
locks (32 bit or 64 bit) as the underlying system allows.
Conversion of various internal flat data structures to use
database records for increased performance and
flexibility.
Support for acting as a MS-DFS (Distributed File System) server.
Support for manipulating Samba shares using Windows client tools
(server manager). Per share security can be set using these tools
and Samba will obey the access restrictions applied.
Samba profiling support (see below).
Compile time option for enabling a (Virtual file system) VFS layer
to allow non-disk resources to be exported as Windows filesystems
(such as databases etc.).
The documentation in this release has been updated and converted
from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
and some defaults have changed.
Profiling support.
------------------
Support for collection of profile information. A shared
memory area has been created which contains counters for
the number of calls to and the amount of time spent in
various system calls and smb transactions. See the file
profile.h for a complete listing of the information
collected. Sample code for a samba pmda (collection agent
for Performance Co-Pilot) has been included in the pcp
directory.
To enable the profile data collection code in samba, you
must compile samba with profile support (run configure with
the --with-profile option). On startup, collection of data
is disabled. To begin collecting data use the smbcontrol
program to turn on profiling (see the smbcontrol man page).
Profile information collection can be enabled for all smbd
processes or one or more selected processes. The profiling
data collected is the aggragate for all processes that have
profiling enabled.
With samba compiled for profile data collection, you may see
a very slight degradation in performance even with profiling
collection turned off. On initial tests with NetBench on an
SGI Origin 200 server, this degradation was not measureable
with profile collection off compared to no profile collection
compiled into samba.
With count profile collection enabled on all clients, the
degradation was less than 2%. With full profile collection
enabled on all clients, the degradation was about 8.5%.
=====================================================================
If you think you have found a bug please email a report to :
samba@samba.org
As always, all bugs are our responsibility.
Regards,
The Samba Team.
|
