samba-wsmbconf.txt

1999-08-17T00:00:00
ID PACKETSTORM:15291
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
  
Date: Thu, 19 Nov 1998 18:20:18 +1100  
Reply-To: tridge@samba.anu.edu.au  
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>  
From: Andrew Tridgell <tridge@SAMBA.ANU.EDU.AU>  
Subject: Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
The Samba team has discovered two security vulnerabilities in the  
samba-1.9.18 RPMs as distributed by RedHat, Caldera and TurboLinux.  
As far as we know no other distributions of Samba are affected.  
  
summary:  
========  
  
The first problem is the installation permissions of the wsmbconf  
binary. The RPM installs wsmbconf as a setgid binary owned by group  
root and executable by all users.  
  
The wsmbconf program was a prototype application and was never meant to  
make its way into a Samba release. It was not designed to be setgid  
and is vulnerable to attack by local users when installed setgid.  
  
The second problem is that the spec file creates a world writeable  
spool area /var/spool/samba but does not set the t bit. The t bit  
should be set on Samba spool directories.  
  
impact:  
=======  
  
1) non-privileged users can use wsmbconf to gain read/write access to  
any file which is accessible to the root group.  
  
2) non-privileged users can alter the content of documents being  
printed by other users. If an interpreter such as ghostscript is used  
to process print files then the insertion of exploit code into print  
files may allow an attacker to exploit vulnerabilities in the  
interpreter to gain access to files owned by users submitting print  
jobs.  
  
vulnerable systems:  
===================  
  
The wsmbconf vulnerability is known to affect the binary versions of  
Samba-1.9.18 distributed with RedHat Linux, Caldera OpenLinux and PHT  
TurboLinux.  
  
The /var/spool/samba vulnerability is known to affect all binary  
versions of Samba distributed with RedHat from version 4.0 up to  
5.2. It is believed to also affect a wide range of Caldera and  
TurboLinux versions but specifics are not available at this time.  
  
Systems on which Samba has been built from the distributed source code  
(the .tar.gz files) are not vulnerable. Both vulnerabilities are  
present only in the packaging files used for particular binary  
distributions.  
  
You can tell if your system is vulnerable by looking for a file called  
/usr/sbin/wsmbconf. If you have that file then you have a vulnerable  
installation.  
  
workaround:  
===========  
  
1) All systems on which /usr/sbin/wsmbconf is installed should  
immediately remove that file:  
  
rm -f /usr/sbin/wsmbconf  
  
removing that file will not in any way adversely affect your Samba  
installation as the file is not actually part of Samba 1.9.18. It  
was included in the distribution inadvertently.  
  
2) All systems which have a /var/spool/samba directory should ensure  
that the t bit is set on that directory:  
  
chmod +t /var/spool/samba  
  
fix:  
====  
  
1) The cause of the first problem is the following line in the spec  
file used to compile Samba 1.9.18p10 on RedHat and Caldera systems:  
  
%attr(2755,root,root) /usr/sbin/wsmbconf  
  
The 2755 permissions are incorrect. The correct action is to remove  
wsmbconf completely from the spec file.  
  
  
2) The cause of the second problem is the following line in the spec  
file used to compile Samba 1.9.18p10 on RedHat and Caldera systems:  
  
%attr(777,root,root) %dir /var/spool/samba  
  
the line should be changed to read:  
  
%attr(1777,root,root) %dir /var/spool/samba  
  
  
updated packages:  
================  
  
RedHat and Caldera have released new RPMs on their ftp sites. We expect  
PHT to release new RPMs shortly.  
  
The URLs I have been given are:  
  
Caldera  
ftp.caldera.com:/pub/OpenLinux/updates/1.3/007  
  
Redhat  
Red Hat Linux 4.2  
alpha ftp://updates.redhat.com/4.2/alpha/samba-1.9.18p10-0.alpha.rpm  
i386 ftp://updates.redhat.com/4.2/i386/samba-1.9.18p10-0.i386.rpm  
sparc ftp://updates.redhat.com/4.2/sparc/samba-1.9.18p10-0.sparc.rpm  
Red Hat Linux 5.0, 5.1 and 5.2:  
alpha ftp://updates.redhat.com/5.2/alpha/samba-1.9.18p10-5.alpha.rpm  
i386 ftp://updates.redhat.com/5.2/i386/samba-1.9.18p10-5.i386.rpm  
sparc ftp://updates.redhat.com/5.2/sparc/samba-1.9.18p10-5.sparc.rpm  
  
additional:  
===========  
  
wsmbconf was included inadvertently in the RedHat spec file as  
distributed in Samba 1.9.18 by a Samba Team member. RedHat, Caldera  
and PHT are not responsible for this vulnerability, even though only  
those systems are affected. The Samba Team apologises to RedHat,  
Caldera and PHT users for these mistakes.  
  
These vulnerabilities were discovered during routine inspection of the  
spec files. We are not aware of anyone actively exploiting these  
vulnerabilities, although exploits are certainly possible.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6  
  
iQCVAgUBNlPFP2NSlURsK/StAQFKRAQAisDAtHMR2hUtiep0YyLTDCAkEC6DzL0b  
kz3dgjagx8lo0Qqry6tb3+b5abF+/PNqHlndI2qEOVVamz77IGC9WVhtZIPnCzes  
z0sZSnMZ5IxJJTa1BY3L0uAE2+Pgmz3ncsedrh1uDSzPIVph2FT89sqDvNOJpow4  
6lQeXHQ7JN8=  
=tAPq  
-----END PGP SIGNATURE-----  
`