Security

Critical Vulnerabilities in Samba

The three vulnerabilities in Samba reported this week should have network administrators scrambling to patch vulnerable servers. Most distributors have already done their scrambling to pick up and apply the fixes so they could release updated samba packages. Each of the vulnerabilities could lead to root privileges; two of them are remotely exploitable - just the kinds of security holes that give administrators nightmares. No exploits have yet been reported, but it is probably only a matter of time; unless they run a completely trusted environment, Samba users need to patch these holes.

The Samba project provides a free implementation of the SMB/CIFS protocols that allow file and print sharing on Windows networks. With Samba, Linux (and other free operating systems) can participate as either a client or server in a mixed OS environment. As Microsoft is not known for its ability (or, perhaps more accurately, willingness) to play well with others, the Samba team has reverse engineered the protocols and the way they are used by Windows so that Samba can bridge that gap. Somewhat surprisingly, the project was not singled out in the latest patent saber rattling by Microsoft; it is probably just an oversight as Samba is precisely the kind of package that Microsoft would want to spread patent FUD about.

The vulnerabilities themselves are fairly straightforward bugs, but it is instructive to look at them; understanding security holes helps avoid them in future code. The first is the shortest lived of the three, only affecting versions 3.0.23d through 3.0.25pre2, whereas the other two affected all versions from 3.0.0. An attempt to simplify the handling of transitions to and from root privileges in the smbd server process is the cause. When looking up System Identifiers (SIDs) in a local list of users and groups, it may transition to rather than from the root user allowing a local attacker to perform some operations as root.

The second reported vulnerability appears to be the most serious as it is remotely exploitable without requiring authentication with the Samba server. By sending specifically crafted packets to the server, an attacker could cause the heap to be overwritten, leading to execution of code provided by the attacker. The underlying cause, as shown by this patch, is not checking for NULL as the return value from a memory allocation routine.

The final report concerns unsanitized user input that is passed to /bin/sh to be executed. By using shell metacharacters in the data sent, an attacker could execute code on the server. If the 'username map script' option has been enabled in smb.conf (it is off by default), the remote attacker need not be authenticated with the server to execute the code. In the standard install, a remote user would be required to authenticate to gain access to the file and print sharing management features before being able to exploit this vulnerability.

With the exception of the SID lookup botch, these kinds of bugs are not new and not specific to Samba. Some variant of the user input filtering problem is the root cause of the majority of web-based security problems and forgetting to check for NULL in allocations is as old as the C language itself. It is probably a bit embarrassing to the team, but it is not surprising that these kinds of problems creep in. Programming securely is difficult and there are a lot of ways to go wrong. Based on the timelines, the Samba team responded promptly in getting fixes out and made sure the word got out. This is the right response in the face of these inevitable bugs.

Comments (15 posted)

bind: denial of service

Comments (1 posted)

samba: several vulnerabilities

Comments (none posted)

squirrelmail: missing input sanitizing

Comments (none posted)