Critical Vulnerabilities in Samba [LWN.net]

May 16, 2007

This article was contributed by Jake Edge.

The three vulnerabilities in Samba reported this week should have network administrators scrambling to patch vulnerable servers. Most distributors have already done their scrambling to pick up and apply the fixes so they could release updated samba packages. Each of the vulnerabilities could lead to root privileges; two of them are remotely exploitable - just the kinds of security holes that give administrators nightmares. No exploits have yet been reported, but it is probably only a matter of time; unless they run a completely trusted environment, Samba users need to patch these holes.

The Samba project provides a free implementation of the SMB/CIFS protocols that allow file and print sharing on Windows networks. With Samba, Linux (and other free operating systems) can participate as either a client or server in a mixed OS environment. As Microsoft is not known for its ability (or, perhaps more accurately, willingness) to play well with others, the Samba team has reverse engineered the protocols and the way they are used by Windows so that Samba can bridge that gap. Somewhat surprisingly, the project was not singled out in the latest patent saber rattling by Microsoft; it is probably just an oversight as Samba is precisely the kind of package that Microsoft would want to spread patent FUD about.

The vulnerabilities themselves are fairly straightforward bugs, but it is instructive to look at them; understanding security holes helps avoid them in future code. The first is the shortest lived of the three, only affecting versions 3.0.23d through 3.0.25pre2, whereas the other two affected all versions from 3.0.0. An attempt to simplify the handling of transitions to and from root privileges in the smbd server process is the cause. When looking up System Identifiers (SIDs) in a local list of users and groups, it may transition to rather than from the root user allowing a local attacker to perform some operations as root.

The second reported vulnerability appears to be the most serious as it is remotely exploitable without requiring authentication with the Samba server. By sending specifically crafted packets to the server, an attacker could cause the heap to be overwritten, leading to execution of code provided by the attacker. The underlying cause, as shown by this patch, is not checking for NULL as the return value from a memory allocation routine.

The final report concerns unsanitized user input that is passed to /bin/sh to be executed. By using shell metacharacters in the data sent, an attacker could execute code on the server. If the 'username map script' option has been enabled in smb.conf (it is off by default), the remote attacker need not be authenticated with the server to execute the code. In the standard install, a remote user would be required to authenticate to gain access to the file and print sharing management features before being able to exploit this vulnerability.

With the exception of the SID lookup botch, these kinds of bugs are not new and not specific to Samba. Some variant of the user input filtering problem is the root cause of the majority of web-based security problems and forgetting to check for NULL in allocations is as old as the C language itself. It is probably a bit embarrassing to the team, but it is not surprising that these kinds of problems creep in. Programming securely is difficult and there are a lot of ways to go wrong. Based on the timelines, the Samba team responded promptly in getting fixes out and made sure the word got out. This is the right response in the face of these inevitable bugs.

(Log in to post comments)

Critical Vulnerabilities in Samba

Posted May 17, 2007 5:09 UTC (Thu) by thedevil (subscriber, #32913) [Link]

>>I've always heard that memory allocations never fail on Linux<<

They can if you have this in /etc/sysctl.conf:
vm.overcommit_memory=2

Critical Vulnerabilities in Samba

Posted May 17, 2007 5:43 UTC (Thu) by ncm (subscriber, #165) [Link]

Very large allocation requests (e.g. bigger than RAM + swap) can fail immediately.

Critical Vulnerabilities in Samba

Posted May 17, 2007 10:00 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Some very conservatively written pieces of software do handle failed memory allocation. It's easier (possible) to do this if for your software 'nothing happens' is considered to be an acceptable consequence of such a dire problem. e.g. as far as I know the 'init' process will simply fail to launch a new process, wait a while and try again later. Several other daemons have been written so that their behaviour degrades gracefully if allocations start failing after they reach their idle state.

For user interactive application software you're right that it's normally doom, if you can't get memory to draw a picture, you may not be able to get enough memory to pop up a dialog which says "Out of memory" either.

In any case it's not acceptable for a serious security problem to occur as a result of lack of available memory. At worst this should cause a temporary denial of service.

Memory shortage

Posted May 17, 2007 14:18 UTC (Thu) by dark (subscriber, #8483) [Link]

One technique of dealing with that is to allocate an emergency reserve of
memory when the program starts up. Then if you run out of memory, start a
graceful shutdown process while allocating from that emergency reserve.

The main difficulty is that library functions won't know about your
reserve. If you're on intimate terms with your malloc implementation, you
can get around that by actually freeing the emergency reserve, and relying
on malloc to keep the memory around and allocate from that space.

Of course, it wouldn't be a good idea for every program to do this. Then
you'd run out of memory. ;)

Critical Vulnerabilities in Samba

Posted May 18, 2007 2:51 UTC (Fri) by walters (subscriber, #7396) [Link]

And in any case, the one of the least useful things to do is pop up a dialog that says "Out of Memory [Ok]", even if you could.

Critical Vulnerabilities in Samba

Posted May 18, 2007 13:12 UTC (Fri) by cortana (subscriber, #24596) [Link]

To be fair, that is preferable to what many Linux applications do: exit immediatly and silently, with no explanation.

Critical Vulnerabilities in Samba

Posted May 21, 2007 10:29 UTC (Mon) by dion (subscriber, #2764) [Link]

Nope.

There are few things worse than applications that hang in stead of failing.

I'd much rather have the application crash so it can be restarted than have it wait for an operator to log in and manually shut it down.

Anything that could ever be automated must be able to crash rather than hang, so the "Application has run out of memory" dialog must be an external post-crash handler that can be turned off if not needed.

Granted, GUI applications that are 100% unscriptable might get away with assuming that there is a warm body in the chair in front of it, but I like to think those are few and far between.

Critical Vulnerabilities in Samba

Posted May 18, 2007 8:15 UTC (Fri) by xoddam (subscriber, #2322) [Link]

> I've always heard that memory allocations never fail on Linux

Depends entirely how you allocate the memory! The standard malloc() in
glibc will rarely fail, large allocations result in new anonymous and
unallocated pages supplied by mmap(), but it *is* possible to run out of
virtual memory space for new allocations in a long-running daemon,
especially if it has many threads (which fragment the vm space).

On the other hand many applications use alternative allocators that are
more likely to return NULL. It is possible to refuse to overcommit memory
in the kernel, and to try to impose a realistic maximum heap size in
glibc.

> there are no practical ways to handle failed memory allocation.

A good system is designed robustly enough to cope with failure. In a
network daemon dropping packets or closing connections once in a while is
just fine; performance will suffer but nothing ought to break.

Overloaded types in Samba

Posted May 21, 2007 15:34 UTC (Mon) by rfunk (subscriber, #4054) [Link]

Isn't "Maybe Integer" just another way of overloading types? Seems to me that the result
is the same either way, at least in the case where NULL is returned instead of a pointer
(since a valid pointer never equals NULL).

Overloaded types in Samba

Posted May 24, 2007 7:04 UTC (Thu) by roy_hu (guest, #43193) [Link]

In Haskell, the Maybe type is defined as
data Maybe a = Nothing | Just a

So if you're given something of Maybe Integer type, you have to pattern match it with the two constructors in order to get the integer value out of it.

I think his point is that you have to deal with failure upfront; you cannot ignore it.

Sidebar: Patent Fud

Posted May 17, 2007 13:33 UTC (Thu) by stevan (subscriber, #4342) [Link]

Also, it would be difficult to threaten your American audience while
trying to convince European regulators that you're squeaky clean when it
comes to interoperability - Microsoft, or rather their lawyers, need Samba
right now.

Critical Vulnerabilities in Samba

Posted May 25, 2007 18:06 UTC (Fri) by jra@samba.org (guest, #35394) [Link]

Detailed explaination of the issues.

Actually we never forgot to check for NULL being returned from a *alloc (we pass Coverity testing remember). The problem was in the hand-marshalling RPC code. The bug was that an array size is passed in two places in DCE/RPC. We allocated using one size, then enumerated over the data with the second, *without checking that the sizes match* ! A second issue was an integer wrap where a size requested had one added to it without checkign for wrap, which allowed it to be sent as 0xFFFFFFFF and become 0. malloc(0) in glibc returns a valid heap address pointing to no addressable data. Thus an attacker could overwrite the heap.

The generic fix was to fix all of Samba to check for a zero-length alloc request and check this *before* the allocation routine was called.

The second problem was missing calling our sanitization function for incoming user-data. I fixed this be adding a generic shell-calling sanitization function that all shell requests are passed though.

Jeremy Allison,
Samba Team.