From owner-freebsd-security Thu Jun 28 20:37:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from panda.freebsdsystems.com (panda.freebsdsystems.com [216.126.95.28]) by hub.freebsd.org (Postfix) with SMTP id 57B7337B409 for ; Thu, 28 Jun 2001 20:37:34 -0700 (PDT) (envelope-from lnb@freebsdsystems.com) Received: (qmail 31850 invoked by uid 89); 29 Jun 2001 03:37:29 -0000 Message-ID: <20010629033729.31849.qmail@panda.freebsdsystems.com> References: <200106290052.TAA32034@aristotle.tamu.edu> <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> In-Reply-To: <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> From: "Lanny Baron" To: NAKAJI Hiroyuki Cc: freebsd-security@freebsd.org Subject: Re: samba vulnerability Date: Fri, 29 Jun 2001 03:37:29 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Sender: lnb@freebsdsystems.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am the Canadian mirror for Samba.org and the warning is right on the main page, under NEWS. It's the macro %m and it warns: The security hole occurs when a log file option like the following is used: log file = /var/log/samba/%m.log In that case the attacker can use a locally created symbolic link to overwrite any file on the system. This requires local access to the server. If your Samba configuration has something like the following: log file = /var/log/samba/%m Then the attacker could successfully compromise your server remotely as no symbolic link is required. This type of configuration is very rare. The most commonly used log file configuration containing %m is the distributed in the sample configuration file that comes with Samba: log file = /var/log/samba/log.%m in that case your machine is not vulnerable to this attack unless you happen to have a subdirectory in /var/log/samba/ which starts with the prefix "log." Regards, Lanny NAKAJI Hiroyuki writes: >>>>>> In <200106290052.TAA32034@aristotle.tamu.edu> >>>>>> rasmith@aristotle.tamu.edu (Robin Smith) wrote: > > RS> the %m.log exploit, but now I wonder where it was. > > http://lists.samba.org/pipermail/samba-announce/2001-June/000054.html > > Is this what you read? > -- > NAKAJI Hiroyuki > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Lanny Baron servers with the power to Serve http://www.FreeBSDsystems.com 1.877.963.1900 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message