Possible SAMBA Vulnerability

← Back to Stories (view on slashdot.org)

Posted by michael on Thursday November 21, 2002 @04:43AM from the apt-get-time-again dept.

veg writes "The samba team have released 2.2.7 following the discovery of a secureity hole in versions 2.2.2 to 2.2.6 that could lead to remote root access. Eeek! Full story on the samba site"

32 comments

Min score:

Reason:

Sort:

Too much of a good thing by MarkusQ · 2002-11-21 05:16 · Score: 5, Funny

The samba team have released 2.2.7 following the discovery of a secureity hole in versions 2.2.2 to 2.2.6 that could lead to remote root access.
So, basically, they're vacillating on the question of full SMB compatibility?
-- MarkusQ
When by Bob+Zer+Fish · 2002-11-21 05:17 · Score: 2, Interesting

When was this vulnerability discovered? People are always comparing Microsoft to OpenSource in the speed of the correction of security flaws. I was wondering if anyone knew, so that I could see if Microsoft is *-that-* bad, or if they're getting better.
1. Re:When by Jeremy+Allison+-+Sam · 2002-11-21 06:04 · Score: 5, Interesting
  
  Eloy Paris and Steve Langasek (spelling?) of the Debian
  Samba community were chasing a user reported core dump bug
  and they noticed the problem.
  
  They reported it to security@samba.org, and I fixed it that
  night (with a perfectly correct CVS comment that also failed
  to point out the security hole :-).
  
  We then worked with the Linux vendors via the vendorsec
  mailing list to ensure they were all aware of the problem
  and could issue updates at the same time we announced. Once
  we'd tested the release, we pushed the button and released...
  
  That is a nice textbook case of how Open Source/Free Software
  security can work.
  
  Cheers,
  
  Jeremy Allison,
  Samba Team
2. Re:When by eht · 2002-11-21 06:08 · Score: 1
  
  26 hours ago as of right now according the cvs at freebsd, i had it fixed before i knew it was a problem
  Update to 2.2.7 which is mostly a security release, but fixes other minor bugs.
3. Re:When by mithras+the+prophet · 2002-11-21 06:22 · Score: 5, Insightful
  
  We then worked with the Linux vendors via the vendorsec mailing list to ensure they were all aware of the problem and could issue updates at the same time we announced. Once we'd tested the release, we pushed the button and released...
  
  What about Apple? Do you work directly with them? I would wager that the millions of Mac OS X-equipped Macs sold each year are rapidly making Apple the #1 distributor of Samba...
  
  --
  four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
4. Re:When by Anonymous Coward · 2002-11-23 13:59 · Score: 0
  
  Wouldn't that rub the 'NIH?NI!' feathers at Apple a bit?
  
  Or is 'Not Invented Here' not a problem anymore?
  
  One would think that the proper thing to do would be to send them a notice suggesting they make the fix themselves. Make sure you send it over AppleTalk (aka PokeyTalk) and that the message not sent with an email client from an 'IBM' computer. They're touchy about stuff like that. To the point where they've actually taken to hiding inside the skin of a beast (it's a Gnu, I think) that they've heard is an arch rival of the 'IBM' (really Microsoft) folks.
it's a mystery by misfit13b · 2002-11-21 05:22 · Score: 1

The word "potentially" is used because there is no known exploit of this bug, and the Samba Team has not been able to craft one ourselves.
So how do they know it's broken again? ;^)
1. Re:it's a mystery by Anonymous Coward · 2002-11-21 11:31 · Score: 0
  
  ---
  
  The word "potentially" is used because there is no known exploit of this bug, and the Samba Team has not been able to craft one ourselves.
  
  So how do they know it's broken again? ;^)
  
  ---
  
  More importantly, how do they know they actually fixed the exploit and not a symptom?
2. Re:it's a mystery by Jeremy+Allison+-+Sam · 2002-11-21 14:44 · Score: 3, Informative
  
  Because it doesn't crash anymore when you
  send it a packet that would overflow the buffer :-).
  
  Cheers,
  
  Jeremy Allison,
  Samba Team.
typical rant ahead by honold · 2002-11-21 05:31 · Score: 2, Flamebait

"The samba team have released 2.2.7 following the discovery of a secureity hole in versions 2.2.2 to 2.2.6 that could lead to remote root access. Eeek! Full story on the samba site"

the slashdot team have released a story to the developers section following the discovery of a "secureity" hole in samba that could lead to remote root access

what does this have to do with developers? it has everything to do with a large base of the slashdot audience. this should be main page news.
1. Re:typical rant ahead by xchino · 2002-11-21 06:22 · Score: 3, Insightful
  
  I would justify it being posted here. It hasn't been found to be exploitable, even by the samba team. They have, however released a new version to correct this (as well as add a few features and fixes), showing excellent mode of quality control exceeding that which often even proprietary software vendors fail to meet, in an OpenSource model. Just a thought...
  
  --
  Everyone is entitled to their own opinion. It's just that yours is stupid.
2. Re:typical rant ahead by Anonymous Coward · 2002-11-22 05:08 · Score: 0
  
  If it was exploitable, it would certainly justify the front page. While it hasn't been proven that it is _not_ exploitable, an exploit would be hard to construct.
  
  Compare with any front-page story of an exploit, they are invariably accompanied by working exploits.
Funny... by malakai · 2002-11-21 05:34 · Score: 1, Flamebait

funny how this is hidden over here in Developer.slashdot, while the IE vulnerability gets front page billing.

-malakai

--
-Malakai
A Dragon Lives in my Garage
1. Re:Funny... by xchino · 2002-11-21 06:17 · Score: 1
  
  That's because there is known working exploitable code to the IE Bug. Even the samba team wasn't able to craft an exploit for this Potential hole. This is more along the lines of developers showing excellent quality control..
  
  --
  Everyone is entitled to their own opinion. It's just that yours is stupid.
2. Re:Funny... by elno · 2002-11-21 06:27 · Score: 2, Insightful
  
  I think is a matter of relevance :
  IE holes come in a "combo meal" Detail Desc + sample + any side item + toy ( If you want to play with the sample code )
  
  This samba hole on ther other hand does not even have a concrete way to take advantage of.
  
  From samba.org:
  A security hole has been discovered in versions 2.2.2 through 2.2.6 of Samba that could potentially allow an attacker to gain root access on the target machine. The word "potentially" is used because there is no known exploit of this bug, and the Samba Team has not been able to craft one ourselves. However, the seriousness of the problem warrants this immediate 2.2.7 release.
embedded systems by bill_mcgonigle · 2002-11-21 05:35 · Score: 2

Lots of embedded systems developers use Samba to provide SMB services.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:embedded systems by SN74S181 · 2002-11-23 14:08 · Score: 1
  
  Lots of carpenters use red trucks to deliver tools and supplies to building sites. That doesn't mean that they're the only people who should be informed if there's a fire on the site.
2. Re:embedded systems by bill_mcgonigle · 2002-11-25 02:13 · Score: 2
  
  Umm, I was answering the question 'what does samba have to do with developers', not defending the Slashdot editors. C'mon, noone defends the slashdot editors.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
In reality this isn't a big deal by Ayanami+Rei · 2002-11-21 06:17 · Score: 1

because it'd be difficult to engineer any runnable x86 code with the conversion from one codepage to another. And I imagine most of the opcodes won't be creatable in that fashion. Still, it's a feel-good reason to upgrade.

--
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The way to fix all of your Samba problems... by OneFix · 2002-11-21 06:17 · Score: 1

Firewall ports 137-139(NetBIOS...according to ISS port 139 is the "most dangerous port on the internet")...

This should keep any machine from accessing internal Samba shares from an external connection and makes these kinds of vulnerabilities irrelevant. Unless you don't trust ppl on your own LAN...then you have other problems...

I can't think of any real reason to leave a NetBIOS port open to "the outside world"...so for those of us that actually firewall these ports, this is already taken care of...
1. Re:The way to fix all of your Samba problems... by ToadSprocket · 2002-11-22 18:20 · Score: 1
  
  Speaking of NetBios ports... the latest spam tactic I saw at one day while booted into windows for some strange reason, is to it to do what amounts to a "net send" that uses windows messenger service. I actually got a friggin "net send" message popping up on my desktop telling me how to enlarge my penis! Windows sucks sometimes. And how the hell did they know my penis was small?
  
  --
  
  If this article confuses you, don't worry. It was posted yesterday in a much clearer fashion.
Re:Phew by Jeremy+Allison+-+Sam · 2002-11-21 14:42 · Score: 5, Funny

If you can craft an exploit for this, please
mail it to me and we'll talk about getting you
working full time on Samba.

Yes, it could crash smbd (for the authenticated
user) but causing it to run code is another matter.

We couldn't work out how to do that, but hey, I'm
willing to believe you might know how. Show me.

Or are you just mouthing off with no expertise to
back it up ?

Regards,

Jeremy Allison,
Samba Team.
Re:Phew by Anonymous Coward · 2002-11-21 15:26 · Score: 0

But it says right here on slashdot:
the discovery of a secureity hole in versions 2.2.2 to 2.2.6 that could lead to remote root access.
So you're saying the slashdot story is untrue?
Re:Phew by Anonymous Coward · 2002-11-22 01:23 · Score: 0

It could. If someone found out how to make it do it. So the slashdot story is true. Maybe your english comprehensions skills need work.

Most "remote root" holes in open source software are in this purely theoretical sense. This differs from closed source, in which typically the remote root is found when an exploit starts circulating.
Never ever trust your internal network. by miffo.swe · 2002-11-22 09:12 · Score: 4, Informative

Depending on what level of security you strive for ofcourse. There will always be back entryways into your network. A firewall that stops incoming traffic on let say port 137-139 doesnt stop all attacks. Someone might aswell succed in hacking something else on another port and then go on to the samba server from the internal network.

I also strongly suggest you not to trust inhouse staff completely. Most hackings that really hurts are insiders that rarely gets discovered.

--
HTTP/1.1 400
1. Re:Never ever trust your internal network. by OneFix · 2002-11-22 10:33 · Score: 2
  
  Then you have HR problems...
  
  And internal LAN is only useful if employees have a certain amount of freedom to do what they need...sure, most things should be password protected, remote access should have multiple "barriers to entry"...SecureID, Login, Pass, etc...
  
  But...your argument could hold true for any amount of security. Certainly you must understand that at some time, you must trust your employees...
  
  As for most exploits, they are simply too difficult to implement for your average user to "pull off"...for the rest of your users, they're probably too busy to bother...
  
  Even then, there's going to be a small group of "troublemakers" that could cause problems, but they are probably going to be fired shortly anyhow...
  
  So, in short...the only "secure" system is an unplugged system.
2. Re:Never ever trust your internal network. by miffo.swe · 2002-11-22 11:29 · Score: 2
  
  Hey man, ever seen office space?
  
  --
  HTTP/1.1 400
3. Re:Never ever trust your internal network. by OneFix · 2002-11-22 14:06 · Score: 2
  
  Exactly...there are certainly truths in this film, but what makes it so funny is that they "cross the line"...There are alot of ppl in the situation they were...but there are reasons why ppl simply won't do that...first thing is most ppl don't want to go to federal "pound me in the A$$" prison!!! Then again, there's also something called morals...
  
  But then again, when your top programmers are all conspiring to befraud the company, there's not much you can do in IT...the only way to deal with that kind of situation is to clean up the mess...
  
  In reality, HR skrewed up by letting anyone outside of executive staff know before hand (Peter shouldn't have been told till it happened)...But then again, Milton burns down the building...now how could IT prevent that?
4. Re:Never ever trust your internal network. by fldvm · 2002-11-23 23:28 · Score: 1
  
  Dude you really take this movie seriously. For me it was just a funny flick. Click here.