|
|
|
|
| |
Credit:
The information has been provided by "Gerald (Jerry) Carter".
|
| |
Format string bug in afsacl.so VFS plugin:
Versions:
The AFS ACL mapping VFS plugin distributed in Samba 3.0.6 - 3.0.23d (inclusive)
CVE Information:
CVE-2007-0454
The name of a file on the server's share is used as the format string when setting an NT security descriptor through the afsacl.so VFS plugin.
This vulnerability only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module.
The source defect results in the name of a file stored on disk being used as the format string in a call to snprintf(). This bug becomes exploitable only when a user is able to write to a share which utilizes Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system.
Patch:
A patch against Samba 3.0.23d has been attached to this email. This fix has be incorporated into the Samba 3.0.24 release.
Patches are also available from at the Samba Security page (http://www.samba.org/samba/security).
Workaround:
An unpatched server may be protected by removing all references to the afsacl.so VFS module from shares in smb.conf.
Disclosure Timeline:
* Jan 8, 2007: Defect first reported to the security@samba.org email alias.
* Jan 8, 2007: Initial developer response by Jeremy Allison confirming the issue.
* Jan 29, 2007: Announcement to vendor-sec mailing list
* Feb 5, 2007: Public issue of security advisory.
afsacl.patch:
diff -urN samba-3.0.23d/source/modules/vfs_afsacl.c samba/source/modules/vfs_afsacl.c
--- samba-3.0.23d/source/modules/vfs_afsacl.c 2006-06-23 08:16:50.000000000 -0500
+++ samba/source/modules/vfs_afsacl.c 2007-01-29 20:11:07.000000000 -0600
@@ -901,7 +901,7 @@
ZERO_STRUCT(dir_acl);
ZERO_STRUCT(file_acl);
- pstr_sprintf(name, fsp->fsp_name);
+ pstrcpy(name, fsp->fsp_name);
if (!fsp->is_directory) {
/* We need to get the name of the directory containing the
Potential Denial of Service bug in smbd
Versions:
* Samba 3.0.6 - 3.0.23d (inclusive)
CVE Information:
CVE-2007-0452
Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is never removed from the deferred open queue. smbd will then become stuck is a loop trying to service the open request.
This bug may allow an authenticated user to exhaust resources such as memory and CPU on the server by opening multiple CIFS sessions, each of which will normally spawn a new smbd process, and sending each connection into an infinite loop.
Patch:
A patch against Samba 3.0.23d has been attached to this email. This fix has be incorporated into the Samba 3.0.24 release. Patches are also available from at the Samba Security page (http://www.samba.org/samba/security).
Workaround:
The bug is believed to be exploitable only by an authenticated user. The server's exposure can be alleviated by disabling any suspect or hostile user accounts.
smbd_deferred_open_v2.patch:
diff -urN samba-3.0.23d/source/printing/nt_printing.c samba/source/printing/nt_printing.c
--- samba-3.0.23d/source/printing/nt_printing.c 2006-07-10 11:27:50.000000000 -0500
+++ samba/source/printing/nt_printing.c 2007-01-30 15:00:45.000000000 -0600
@@ -4839,7 +4839,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting driverfile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4848,7 +4848,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting configfile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4857,7 +4857,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting datafile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4866,7 +4866,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting helpfile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4882,7 +4882,7 @@
pstrcpy( file, p );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting dependent file [%s]\n", file));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
i++;
diff -urN samba-3.0.23d/source/smbd/nttrans.c samba/source/smbd/nttrans.c
--- samba-3.0.23d/source/smbd/nttrans.c 2006-06-23 08:16:49.000000000 -0500
+++ samba/source/smbd/nttrans.c 2007-01-30 15:00:45.000000000 -0600
@@ -664,7 +664,7 @@
if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE)
&& (access_mask & DELETE_ACCESS)) {
#endif
- status = can_delete(conn, fname, file_attributes, bad_path, True);
+ status = can_delete(conn, fname, file_attributes, bad_path, True, False);
/* We're only going to fail here if it's access denied, as that's the
only error we care about for "can we delete this ?" questions. */
if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) ||
@@ -1281,7 +1281,7 @@
/* Setting FILE_SHARE_DELETE is the hint. */
if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE) && (access_mask & DELETE_ACCESS)) {
#endif
- status = can_delete(conn, fname, file_attributes, bad_path, True);
+ status = can_delete(conn, fname, file_attributes, bad_path, True, False);
/* We're only going to fail here if it's access denied, as that's the
only error we care about for "can we delete this ?" questions. */
if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) ||
@@ -1888,8 +1888,14 @@
status = rename_internals(conn, fsp->fsp_name,
new_name, 0, replace_if_exists, path_contains_wcard);
- if (!NT_STATUS_IS_OK(status))
+
+ if (!NT_STATUS_IS_OK(status)) {
+ if (open_was_deferred(SVAL(inbuf,smb_mid))) {
+ /* We have re-scheduled this call. */
+ return -1;
+ }
return ERROR_NT(status);
+ }
/*
* Rename was successful.
diff -urN samba-3.0.23d/source/smbd/reply.c samba/source/smbd/reply.c
--- samba-3.0.23d/source/smbd/reply.c 2006-06-23 08:16:49.000000000 -0500
+++ samba/source/smbd/reply.c 2007-01-30 15:00:45.000000000 -0600
@@ -1865,7 +1865,7 @@
Check if a user is allowed to delete a file.
********************************************************************/
-NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open)
+NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open, BOOL can_defer)
{
SMB_STRUCT_STAT sbuf;
uint32 fattr;
@@ -1938,7 +1938,7 @@
FILE_OPEN,
0,
FILE_ATTRIBUTE_NORMAL,
- 0,
+ can_defer ? 0 : INTERNAL_OPEN_ONLY,
NULL);
if (!fsp) {
@@ -1960,7 +1960,7 @@
code.
****************************************************************************/
-NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild)
+NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild, BOOL can_defer)
{
pstring directory;
pstring mask;
@@ -2000,7 +2000,7 @@
if (!has_wild) {
pstrcat(directory,"/");
pstrcat(directory,mask);
- error = can_delete(conn,directory,dirtype,bad_path,False);
+ error = can_delete(conn,directory,dirtype,bad_path,False,can_defer);
if (!NT_STATUS_IS_OK(error))
return error;
@@ -2058,7 +2058,7 @@
}
slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname);
- error = can_delete(conn,fname,dirtype,bad_path,False);
+ error = can_delete(conn,fname,dirtype,bad_path,False,False);
if (!NT_STATUS_IS_OK(error)) {
continue;
}
@@ -2104,7 +2104,7 @@
DEBUG(3,("reply_unlink : %s\n",name));
- status = unlink_internals(conn, dirtype, name, path_contains_wcard);
+ status = unlink_internals(conn, dirtype, name, path_contains_wcard, True);
if (!NT_STATUS_IS_OK(status)) {
if (open_was_deferred(SVAL(inbuf,smb_mid))) {
/* We have re-scheduled this call. */
diff -urN samba-3.0.23d/source/smbd/trans2.c samba/source/smbd/trans2.c
--- samba-3.0.23d/source/smbd/trans2.c 2006-11-14 08:42:12.000000000 -0600
+++ samba/source/smbd/trans2.c 2007-01-30 15:00:35.000000000 -0600
@@ -4446,9 +4446,15 @@
fname, newname ));
status = rename_internals(conn, fname, base_name, 0, overwrite, False);
}
+
if (!NT_STATUS_IS_OK(status)) {
+ if (open_was_deferred(SVAL(inbuf,smb_mid))) {
+ /* We have re-scheduled this call. */
+ return -1;
+ }
return ERROR_NT(status);
}
+
process_pending_change_notify_queue((time_t)0);
SSVAL(params,0,0);
send_trans2_replies(outbuf, bufsize, params, 2, *ppdata, 0);
Buffer overrun in NSS host lookup Winbind library on Solaris:
Versions:
* Samba 3.0.21 - 3.0.23d (inclusive) running on Sun Solaris
CVE Information:
CVE-2007-0453
This vulnerability only affects Sun Solaris systems running Samba's winbindd daemon and configured to make use of the nss_winbind.so.1 library for gethostbyname() and getipnodebyname() name resolution queries.
For example,
## /etc/nsswitch.conf
...
ipnodes: files winbind
hosts: files winbind
The buffer overrun is caused by copying a string passed into the NSS interface into a static buffer prior to sending the request to the winbindd daemon.
A patch against Samba 3.0.23d has been attached to this email. This fix has be incorporated into the Samba 3.0.24 release.
Patches are also available from at the Samba Security page (http://www.samba.org/samba/security).
Workaround:
An unpatched Solaris server may be protected by removing the 'winbind' entry from the hosts and ipnodes services in /etc/nsswitch.conf.
Disclosure Timeline:
* Dec 15, 2006: Defect first reported to the security@samba.org email alias.
* Dec 21, 2006: Initial developer response by Andrew Tridgell confirming the issue.
* Jan 29, 2007: Announcement to vendor-sec mailing list
* Feb 5, 2007: Public issue of security advisory.
winbind_nss_solaris.patch:
diff -urN samba-3.0.23d/source/nsswitch/winbind_nss_solaris.c samba/source/nsswitch/winbind_nss_solaris.c
--- samba-3.0.23d/source/nsswitch/winbind_nss_solaris.c 2006-04-19 21:29:21.000000000 -0500
+++ samba/source/nsswitch/winbind_nss_solaris.c 2007-01-29 19:51:11.000000000 -0600
@@ -493,7 +493,8 @@
af = AF_INET6;
#endif
- strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name)) ;
+ strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1);
+ request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0';
if( (ret = winbindd_request_response(WINBINDD_WINS_BYNAME, &request, &response))
== NSS_STATUS_SUCCESS ) {
@@ -515,7 +516,8 @@
ZERO_STRUCT(response);
ZERO_STRUCT(request);
- strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name));
+ strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1);
+ request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0';
if( (ret = winbindd_request_response(WINBINDD_WINS_BYNAME, &request, &response))
== NSS_STATUS_SUCCESS ) {
|
|
|
|
|
