Slashdot Mirror
Samba Exploit Discovered, Fixed
An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?"
elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."
in soviet russia ice cubes crush you
"Good god people, we would have accepted 'bow-wow' or 'ruff'...Ah! Rough, just the way your mother likes it Trebek."
... you know the drill. Pitchforks ready!
If it took digital defense so much luck and trouble to find out, is it such a big problem really?
Them finding out is probably the only reason why people actually know about it now...
I thought Monday was Patch Your Microsoft Server days... SAMBA is allowed Thursday, or was that...Wednesday...? I forget....
A FreeBSD Security Advisory has been issued and the samba port has been updated to the fixed version:
:)
samba 2.2.8a
Update 2.2.8 -> 2.2.8a.
Submitted by: dwcjr (MAINTAINER)
I already updated my installation 4 hours ago, the FreeBSD folk are fast
This is what is fixed by the update:
(1) Sebastian Krahmer of the SuSE Security Team identified
vulnerabilities that could lead to arbitrary code execution as root,
as well as a race condition that could allow overwriting of system
files. (This vulnerability was previously fixed in Samba 2.2.8.)
(2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
correctly, leads to an anonymous user gaining root access on a Samba
serving system. All versions of Samba up to and including Samba 2.2.8
are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
vulnerable.''
3 posts and the website is dead already...ugh..
DJ kRYPT's Free MP3s!
Well, Samba is supposed to make a Unix computer look and act like a Windows server, right? In that case, it could be argued that a remote root exploit is a feature.
Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
It appears to me we're being bombarded with bugs found in open source software lately. I hope this doesn't make some people lose faith in these projects.
This sort of thing could never have happened if it was Open Source! Thousands of people would have reviewed the source code to make sure that there were no problems like this.
Oh wait...
cause if it had been a problem with a Microsoft product we'd have to wait until actual exploits were in the wild to get a fix for it...
At least with open source people can't hide their crappy code behind a black box. Thats the point of open source.
Oh wait, you're a troll.. ah well you got modded up so thats that.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
It's open source! Many eyes make all bug shallow! See, it's only been in there for eight years!
--sdem
Is this the same as the vuln reported in Red Hat RHSA-2003-095? The links in the article to the vuln info are down right now.
If it is, RH has had this licked since April Fool's. At least someone was being productive that day.
the no
So, really, it's all Microsoft's fault. If they hadn't-a done what I told them not to do, they'd still--
Ah, sorry, wrong movie.
Test driven development
"Did you plan to spend your Monday upgrading to Samba 2.2.8a?"
/root
/end monday rant
No, I spent monday yelling at people trying to explain to them "WHY" they need to updgrade. Dumb S.A.'s.
Low and behold an intern sysadmin tells me "Looks like someone has a case of the mondays!"
...It's ok...just wait until he sees me put his pink slip in his
Rob
AVR's are buggy and soon to be obsolete microcontrollers. Invest in Microchip PICMicros (TM) instead.
Advantages of PICMicro(TM):
*True RISC Design. Only 35 instructions to Learn!
*20ma drive current per I/O pin
*40 Mhz operation (PIC18xxx, Using 4x PLL multiplier)
*Simplist In-Circuit Programming in the industry
Disadvantages of Atmel AVR(TM)
*Based on obsolete pseudo-RISC design
*Only 32 registers
*Badly Implemented Peripherials (ADC is slow and innaccurate, and EEPROM loses contents often)
*fragile - easily destroyed by ESD
Don't Delay, Learn PICs (TM) Today!
PIC(TM) and PICMicro(TM) are registed trademarks of Microchip Technology
Is Windows XP still vulnerable to bugs that you originally found in Windows 95? I'd think they'd have fixed things like that by accident by now, just in the normal course of rewriting code.
would anyone connect a Samba server directly to the internet anyway? This is only an exploit of stupidity, of which there are many.
05 * * * *
No more annoying messages about Redhat asking $60 a year for a subscription.
If this had been a bug for a MS product, you'd be slamming MS hard. But now all I see is a mountain of whiny, hypocritical comments when it is in the non-MS camp.
Since your real world assets amount to a week's pocket money, I doubt anyone need worry too much.
Exploits like this, which appears to be a relatively trivial buffer overflow, manage to exist for 8 YEARS in a piece of incredibly popular open source software?
;)
What ever happened to many eyes auditing the code? Not to say that the Samba team is doing a bad job, I run several Samba servers at home for various reasons, and they're damn rad. But I can't understand why this bug wasn't caught by somebody auditing the code.
I can only speak for myself, but I'd much prefer the Samba team to pore over the code looking for more bugs like this, than adding catch-up-with-the-gateses features like NT Domain Controller support which are largely irrelevant. The Unix philosophy is to do one thing, and do it well, and Samba already does this. If we want central authentication, we have a host of packages we can already choose from.
Not to deny the Samba team's work at all. I'll have to remember to send in my Pizza vouchers
You're doing it wrong.
Rebuilding this for a second time this week on a 25mhz machine almost makes me want to upgrade to a faster CPU.
I know this isn't an AOL chatroom or anything, but a hearty "LOL" goes out to the parent post.. :)
If only they would check for the evil bit! OK. The joke is getting old.
Debian!
Paying taxes to buy civilization is like paying a hooker to buy love.
Ignore that asshole. Thanks for the good code you've released free of charge that has worked so well for me and others.
This guy is way out there
I'm starting a "guess how much karma Jeremy Allison will get today" pool. Anyone want to enter?
I can only speak for myself, but I'd much prefer the Samba team to pore over the code looking for more bugs like this, than adding catch-up-with-the-gateses features like NT Domain Controller support which are largely irrelevant.
Some of the recent features (BDC support via LDAP, good domain membership via winbind) are the only things that allow people to run a more secure SMB server than Windows. Without those features, we would have to cave in and run something that has them. If samba did not have domain controlling support, we would likely not be running any linux boxen now, whereas most of our servers do at present.
The Unix philosophy is to do one thing, and do it well, and Samba already does this. If we want central authentication, we have a host of packages we can already choose from.
Anything that can *really* compete with AD and NDS? I think not (and yes, we run LDAP, including samba backended on LDAP, and are implementing kerberos).
Everyone take a look at how many times Jeremy not only answered posts in this thread, but how often he owned up to writing the code in question here.
Very few projects, open source or not, will have any response like this, and I think it's commendable and says a lot about Jeremy and the SAMBA team that this is the public face they present.
Makes me feel even better for using their stuff.
The problem is that there are 20,000 different people with access to these servers, both administrative and student, and you really can't trust all of them not to try to r00t your b0>.
Conspiracy theory: He created this bug because he's a karma whore!! :)
You are keeping them secret from the people who need the knowledge most: Those who have to decide whether to install or uninstall, firewall, or not their systems.
If the vulnerabilities were more publically known, the mischief would also be more public. Thus, the fix would be more likely. Otherwise, you're leaving EVERY microsoft user is vulnerable to catastrophy at any moment.
I can understand holding back for several months to give them a chance to have a fix ready. I also think that thats professional. But, you also have an obligation to inform people that the software they use is unreliable, and back that up with evidence. If I found a bug in an application you depended on, and the authors refused to fix it. Would you rather the vulnerability got found in the wild, after taking your systems, or through a full public disclosure?
Someone will undoubtedly post about having their system upgraded courtesy of something in cron that put in a new package for them. That's nice.
Now flip that around. What about an EVIL upgrade system? Imagine being able to fetch the newest exploits that would then become the frontend to a scanner that looks for hosts to conquer.
In cases like this where the exploit is easy to obtain, you could have a widespread infection in a matter of minutes. Just have your zombies pick up the latest update and go to town.
Well, it's nice to know that Linux does not have a monopoly on arrogant users. You've got a nice, easy-going guy like Jeremy Allison calmly defending himself against a boatload of inflamed, obnoxious pricks who ridicule Open Source several times a year before crawling back under their rocks while Microsoft releases the exploit of the week.
Well, there is actually a difference.
It might have taken eight years for someone to notice the bug and release a security advisory. However, once that was done, it only took the developers a week to release a patch.
Had it been in a Microsoft product, it would have taken a week to get a security advisory, and eight years to get the patch.
Attack its weak point for massive damage!
Heh, send exploit code to some random troll at a Hotmail account, who promises to use his special influence to get Microsoft to fix the bug? I suppose you have billg's private phone number?
:-)
Pull the other one.
These bugs have been sent to security@microsoft.com, with no response. Why should sending them to you be any more effective?
Disclosing bugs is only useful if there is a fix, or if they're being exploited in the wild. Some of the bugs known by the Samba team are apparently not being exploited, and Microsoft has no apparent interest in fixing them. So revealing them to random trolls would only hurt people with Microsoft servers.
Arguably it would help people decide not to use MS products, but if the flood of Outlook and Windows worms hasn't done that then I don't know what will. Presumably people like being reamed^W^Wthe products so much that their lack of security is not a consideration.
I think the thing that intrests me the most about this bug is how it was found. Does anyone have more information on what brought this bug to light?
:)
:) I would be curious if it's a configuration problem (although tech support dosen't seem to think so) or a real bug.
In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.
Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.
No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money
Zorton
btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know
Could someone please post the expoit code that used to be here? It's the trans2root.pl script. Thx!
EVER END? -- blangblah@tihs.net
Mandrake has issued an advisory for this issue here, although it doesn't appear that the updated RPMs have hit their FTP mirrors yet.
apt-get update
apt-get upgrade
exit
Comment removed based on user account deletion
...the sun rose today... and then it set.
Sorry, but A.I. was a bad movie and you can't just interpret that away. All these ideas you think are so great have been hashed to death by Asimov and his contemporaries over half a century ago. Every critic hailing the originality and insight of the film is just showing off their lack of SF culture. In any event, the bottom line is that the ending was boring, anticlimactic and mawkish, and it remains that way no matter how you explain it.
..its a Mini adventure! :)
"Hey! Unless this is a nude love-in, get the hell off my property!!"
apt-get update / apt-get upgrade? Has nobody done a windows update style upgrade engine yet? I appreciate that restarting samba automatically has repercussions on any connected windows machines, but windows update is really simple and useful for a "desktop user" IMHO. And you *do* keep telling us that linux is ready for the desktop...
Has anyone started building rpms for security fixes for these now obsolete redhat distributions yet?
I am trying to build them myself at the moment, but I think other people might be interested and maybe some company is already thinking about providing commercial support for these versions.
Hi Jeremy,
Nice work on Samba btw. I Have to point out that you are deliberately leaving out a large part of the disclosure argument. If you gave out further details about these security issues with MS SMB, it may prompt microsoft to do something about it. This is (arguably) the best thing to do - expolits for these holes may exist in the wild without MS knowing (like there was with samba...), so they should really be pushed harder to do something about it.
I get the feeling that you are being a little politicol here: Not disclosing _any_ information about the bugs is very much playing into microsfts hands. Gives you a little something to "blackmail" them with, no? In the nicest possible way, of course.....
I have heard that at times MS have been suprisingly helpful to the Samba team.... dont you go out for dinner with them sometimes?
--mb
And as many others have pointed out, slackware, debian ALSO have it fixed. So, its not ONLY the FreeBSD folk that are fast.
Incidentally, my Gentoo ebuild for samba (currently marked as ~x86 -- means unstable for those new to Gentoo) appeared in the portage tree, yesterday when I rsynced at 10:34am. The Changelog has a reference to the security update. The ebuild file itself was created almost 22 hours, 44 minutes ago.
Satisifed now, are we? (Actually, I did notice the smiley at the end of your sentence, so just maybe I'm taking this opportunity to plug my preferred distro)
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
Still haev fewer holes than the Windows Strainer.. err OS
As I have argued below, it is not the place of anyone in
:-). And it's because :-).
the Samba Team to write and distribute exploit code.
If you are of the opinion that your vendor must be
'pushed' to do something about a vulnerability then
why are you using a vendor you trust so little on
your network ?
As for the idea that Microsoft is being "blackmailed" by
us not disclosing problems give me a break ! Blackmail
would be "fix these problems *now* or I'll release exploit
code".
Yes, we go out to dinner with Microsoft engineers when
they turn up at CIFS conferences (they seem to have
stopped bothering these days btw
they're usually nice people who just want to fix interop
bugs (as are most engineers). Microsoft as a corporate
entity aren't very helpful to Samba anymore (I think
that stopped when Samba got the ability to become a
PDC
Jeremy Allison,
Samba Team.
Please? I didn't download it when I had the chance :-(
This root level vulnerability has been in every SAMBA distro since its conception... 8 yrs and nobody has found it?
Hear hear. It was tripe. The first part was a Disney-ish pinochio rehash. The ending was an incredibly contrived feel-good "happy" ending. (or at least pseudo-happy, since even though it wasn't strictly a happy ending, it was there for its typical hollywood feel-good effect. And the characters in the movie were such one-dimensional cardboard cut-out stereotypes, straight from the text-book.