exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

samba-wsmbconf.txt

samba-wsmbconf.txt
Posted Aug 17, 1999

A vulnerability exists in Samba 1.9.18 as distributed by Red Hat, Caldera, and TurboLinux. The vulnerability is in the wsmbconf binary, which is installed setgid root and executable by everyone. Normal users can exploit this vulnerability to gain read/write access as the group root.

tags | exploit, root
systems | linux, redhat
SHA-256 | c6256498872e55efaafbe11c2473a7180d31e91caa6fc2181fe507f1c17b8778

samba-wsmbconf.txt

Change Mirror Download


Date: Thu, 19 Nov 1998 18:20:18 +1100
Reply-To: tridge@samba.anu.edu.au
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Andrew Tridgell <tridge@SAMBA.ANU.EDU.AU>
Subject: Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux

-----BEGIN PGP SIGNED MESSAGE-----

The Samba team has discovered two security vulnerabilities in the
samba-1.9.18 RPMs as distributed by RedHat, Caldera and TurboLinux.
As far as we know no other distributions of Samba are affected.

summary:
========

The first problem is the installation permissions of the wsmbconf
binary. The RPM installs wsmbconf as a setgid binary owned by group
root and executable by all users.

The wsmbconf program was a prototype application and was never meant to
make its way into a Samba release. It was not designed to be setgid
and is vulnerable to attack by local users when installed setgid.

The second problem is that the spec file creates a world writeable
spool area /var/spool/samba but does not set the t bit. The t bit
should be set on Samba spool directories.

impact:
=======

1) non-privileged users can use wsmbconf to gain read/write access to
any file which is accessible to the root group.

2) non-privileged users can alter the content of documents being
printed by other users. If an interpreter such as ghostscript is used
to process print files then the insertion of exploit code into print
files may allow an attacker to exploit vulnerabilities in the
interpreter to gain access to files owned by users submitting print
jobs.

vulnerable systems:
===================

The wsmbconf vulnerability is known to affect the binary versions of
Samba-1.9.18 distributed with RedHat Linux, Caldera OpenLinux and PHT
TurboLinux.

The /var/spool/samba vulnerability is known to affect all binary
versions of Samba distributed with RedHat from version 4.0 up to
5.2. It is believed to also affect a wide range of Caldera and
TurboLinux versions but specifics are not available at this time.

Systems on which Samba has been built from the distributed source code
(the .tar.gz files) are not vulnerable. Both vulnerabilities are
present only in the packaging files used for particular binary
distributions.

You can tell if your system is vulnerable by looking for a file called
/usr/sbin/wsmbconf. If you have that file then you have a vulnerable
installation.

workaround:
===========

1) All systems on which /usr/sbin/wsmbconf is installed should
immediately remove that file:

rm -f /usr/sbin/wsmbconf

removing that file will not in any way adversely affect your Samba
installation as the file is not actually part of Samba 1.9.18. It
was included in the distribution inadvertently.

2) All systems which have a /var/spool/samba directory should ensure
that the t bit is set on that directory:

chmod +t /var/spool/samba

fix:
====

1) The cause of the first problem is the following line in the spec
file used to compile Samba 1.9.18p10 on RedHat and Caldera systems:

%attr(2755,root,root) /usr/sbin/wsmbconf

The 2755 permissions are incorrect. The correct action is to remove
wsmbconf completely from the spec file.


2) The cause of the second problem is the following line in the spec
file used to compile Samba 1.9.18p10 on RedHat and Caldera systems:

%attr(777,root,root) %dir /var/spool/samba

the line should be changed to read:

%attr(1777,root,root) %dir /var/spool/samba


updated packages:
================

RedHat and Caldera have released new RPMs on their ftp sites. We expect
PHT to release new RPMs shortly.

The URLs I have been given are:

Caldera
ftp.caldera.com:/pub/OpenLinux/updates/1.3/007

Redhat
Red Hat Linux 4.2
alpha ftp://updates.redhat.com/4.2/alpha/samba-1.9.18p10-0.alpha.rpm
i386 ftp://updates.redhat.com/4.2/i386/samba-1.9.18p10-0.i386.rpm
sparc ftp://updates.redhat.com/4.2/sparc/samba-1.9.18p10-0.sparc.rpm
Red Hat Linux 5.0, 5.1 and 5.2:
alpha ftp://updates.redhat.com/5.2/alpha/samba-1.9.18p10-5.alpha.rpm
i386 ftp://updates.redhat.com/5.2/i386/samba-1.9.18p10-5.i386.rpm
sparc ftp://updates.redhat.com/5.2/sparc/samba-1.9.18p10-5.sparc.rpm

additional:
===========

wsmbconf was included inadvertently in the RedHat spec file as
distributed in Samba 1.9.18 by a Samba Team member. RedHat, Caldera
and PHT are not responsible for this vulnerability, even though only
those systems are affected. The Samba Team apologises to RedHat,
Caldera and PHT users for these mistakes.

These vulnerabilities were discovered during routine inspection of the
spec files. We are not aware of anyone actively exploiting these
vulnerabilities, although exploits are certainly possible.

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBNlPFP2NSlURsK/StAQFKRAQAisDAtHMR2hUtiep0YyLTDCAkEC6DzL0b
kz3dgjagx8lo0Qqry6tb3+b5abF+/PNqHlndI2qEOVVamz77IGC9WVhtZIPnCzes
z0sZSnMZ5IxJJTa1BY3L0uAE2+Pgmz3ncsedrh1uDSzPIVph2FT89sqDvNOJpow4
6lQeXHQ7JN8=
=tAPq
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close