From owner-freebsd-security Wed Mar 19 1: 6:29 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8274837B404 for ; Wed, 19 Mar 2003 01:06:26 -0800 (PST) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3C9743F85 for ; Wed, 19 Mar 2003 01:06:25 -0800 (PST) (envelope-from mkenyeres@konvergencia.hu) Received: from [127.0.0.25] (helo=localhost) by konvergencia.hu with esmtp (Exim 4.10) id 18vZZH-000BSs-00 for security@freebsd.org; Wed, 19 Mar 2003 09:09:03 +0000 Received: from konvergencia.hu ([127.0.0.25]) by localhost (kavegep.konvergencia.hu [127.0.0.25:10024]) (amavisd-new) with ESMTP id 42006-08 for ; Wed, 19 Mar 2003 10:08:52 +0100 (CET) Received: from adsl-110-98.adsl-pool.axelero.hu ([62.201.98.110] helo=nerd.kvg.hu) by konvergencia.hu with asmtp (Exim 4.10) id 18vZZ6-000BSl-00 for security@freebsd.org; Wed, 19 Mar 2003 09:08:52 +0000 From: Marton Kenyeres Organization: KVG:) Konvergencia Ltd To: security@freebsd.org Subject: Re: Samba vulnerability Date: Wed, 19 Mar 2003 10:08:28 +0100 User-Agent: KMail/1.5 References: <20030318143759.GA77729@nevermind.kiev.ua> <3E774C85.902@drweb.ru> In-Reply-To: <3E774C85.902@drweb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200303191008.28706.mkenyeres@konvergencia.hu> X-Virus-Scanned: by amavisd-new Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 18 March 2003 17.42, Nikolaj I. Potanin wrote: > > A flaw has been detected in the Samba main smbd code which could allow > > an external attacker to remotely and anonymously gain Super User (root) > > ^^^^^^^^^^^^^^^^^ > > Does anyone here have smbd bound to an external interface? ;-) > Although the advisory mentions external attackers, I bet this vulnerability= =20 allows malicious internal users to gain root privileges on an intranet file= =20 server. As far as I know a vast majority of attacks are attempted by=20 insiders, so I don't find this funny at all.=20 Also, form smb.conf(5): By default Samba will query the kernel for the list of all active interface= s=20 and use any interfaces except 127.0.0.1 that are broadcast capable. So it is very well possible that in fact, someone here have smbd bound to a= n=20 external interface. Anyway, I don't think that this kind of 'lamaz deserve = to=20 be r00ted' attitude is appropriate for this list. Pardon me, if I=20 misunderstood your intentions. Cheers, =2D-=20 Kenyeres M=E1rton mkenyeres@konvergencia.hu KVG:) Konvergencia Kft. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message