Samba vulnerabilities

Created 7/3/01

Impact

In some configurations, the Samba server could allow a local user to append to arbitrary files, and a remote attacker to avoid logging of failed connection attempts, which could allow brute force attacks. In other configurations, it could be possible for any attacker, local or remote, to append to arbitrary files. This could easily be leveraged to gain full root access to the system.

Background

Server Message Block (SMB) is a network protocol native to Windows systems which allows sharing of files and printers across a network. Samba is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems.

Every computer which uses the SMB protocol, is assigned a netbios name. This name is used to identify the computer on the network for the purposes of resolving SMB requests.

The Problem

The Samba server is often configured to log error messages in a file whose name is determined by the netbios name of the client. If this is the case, insufficient checking of the client's netbios name by Samba could allow an attacker to change the path of the log file. In the worst-case scenario, this could lead to remote write access to arbitrary files, which could result in remote root access. In other scenarios, this could lead to privilege elevation by a local attacker, or the opportunity for a remote attacker to perform brute-force password guessing attacks without being logged.

Samba versions prior to 2.0.10 are affected by this vulnerability if the log file name includes the netbios name (represented by %m) in the configuration file. The Samba configuration file is usually located in /etc/smb.conf or /etc/samba/smb.conf. For example, if a Samba server prior to version 2.0.10 is installed, and the /etc/smb.conf file includes the following line:

log file = /var/log/samba/%m.log 
then the server is vulnerable.

Resolution

Upgrade to Samba 2.0.x version 2.0.10 or higher, or to version 2.2.0a or higher. Alternatively, change the log file parameter in the Samba configuration file such that the path name does not depend on any variables. See SecurityFocus for update information from specific vendors.

Where can I read more about this?

For more information on this vulnerability, see the announcement from Samba and the posting to Bugtraq. Also see more information about SAMBA in general.