Samba Exploit Discovered, Fixed

← Back to Stories (view on slashdot.org)

Samba Exploit Discovered, Fixed

Posted by timothy on Monday April 7, 2003 @09:41AM from the lickety-split-sortof dept.

An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?" elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."

41 of 221 comments (clear)

Okay everybody... by Anonvmous+Coward · 2003-04-07 09:42 · Score: 2, Funny

... you know the drill. Pitchforks ready!
1. Re:Okay everybody... by NanoGator · 2003-04-07 09:44 · Score: 4, Funny
  
  "Okay everybody... ... you know the drill. Pitchforks ready! "
  
  Whoah, slow down there buddy. We gotta check the list.
  
  -Microsoft? No.
  -RIAA/MPAA? No.
  -IBM? No.
  -Amazon? No.
  -TurboTax? No.
  
  Sorry, Samba's not on the list. Turn in your pitchfork for a song of praise.
  
  --
  "Derp de derp."
Mondays? by raydobbs · 2003-04-07 09:47 · Score: 5, Funny

I thought Monday was Patch Your Microsoft Server days... SAMBA is allowed Thursday, or was that...Wednesday...? I forget....
1. Re:Mondays? by carpe_noctem · 2003-04-07 09:50 · Score: 2, Funny
  
  nono...Thursday is for sendmail. We'll pencil in samba on wednesdays.
  
  --
  "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
2. Re:Mondays? by Lxy · 2003-04-07 09:50 · Score: 5, Funny
  
  I thought Monday was Patch Your Microsoft Server days
  
  Samba is just trying to emulate every aspect of a Windows server, including Windows patch Mondays.
  
  Yet another compatibility feature we can check off the list.
  
  --
  
  There is no reasonable defense against an idiot with an agenda
  :wq
Already fixed in FreeBSD ports by dnaumov · 2003-04-07 09:47 · Score: 4, Informative

A FreeBSD Security Advisory has been issued and the samba port has been updated to the fixed version:

samba 2.2.8a
Update 2.2.8 -> 2.2.8a.
Submitted by: dwcjr (MAINTAINER)

I already updated my installation 4 hours ago, the FreeBSD folk are fast :)

This is what is fixed by the update:

(1) Sebastian Krahmer of the SuSE Security Team identified
vulnerabilities that could lead to arbitrary code execution as root,
as well as a race condition that could allow overwriting of system
files. (This vulnerability was previously fixed in Samba 2.2.8.)

(2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
correctly, leads to an anonymous user gaining root access on a Samba
serving system. All versions of Samba up to and including Samba 2.2.8
are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
vulnerable.''
1. Re:Already fixed in FreeBSD ports by CoJoNEs · 2003-04-07 10:48 · Score: 2, Informative
  
  since this is distro/OS whoring time
  Debian also has this fixed. I just checked right now, but according to the timestamps on the servers it looks like it took place around 11:00 today.
Re:so... by Anonymous Coward · 2003-04-07 09:47 · Score: 2, Insightful

Your wife is cheating on you... It wouldn't have been a problem, but you just HAD to hire a Private Investigator...
Feature? by Jonathan+the+Nerd · 2003-04-07 09:48 · Score: 5, Funny

Well, Samba is supposed to make a Unix computer look and act like a Windows server, right? In that case, it could be argued that a remote root exploit is a feature.

--
Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
1. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 10:04 · Score: 4, Interesting
  
  I could show you MS bugs that we've known about for
  more than 8 years.
  
  Yes, they crash your MS SMB server. Yes, we've told
  Microsoft about them.
  
  Microsoft don't always fix bugs if there are no active
  exploits against them and knowledge of them is limited.
  
  I guess they just trust that we don't release exploits :-).
  
  Jeremy Allison,
  Samba Team.
2. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 10:17 · Score: 4, Interesting
  
  If you put one of your Windows servers on a network
  I had access to I would be able to show you. I will
  not release the code publicly (for obvious reasons).
  Knowledge of these bugs would allow worms/viruses to
  utterly cripple Microsoft based corporate networks.
  
  If you choose not to believe me without exploit code
  then that's up to you, but I will not act in an
  unprofessional way to prove a point.
  
  Jeremy Allison,
  Samba Team.
3. Re:Feature? by cyb97 · 2003-04-07 10:17 · Score: 2, Funny
  
  They seem to have fixed the 3.11 - 3.10 = 0 bug in calc.exe now... You mean there are other longrunning bugs in Windows?
4. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 10:44 · Score: 3, Insightful
  
  No, I'm not a joke, just a software engineering professional.
  I have to catalogue Microsoft bugs as Samba has to
  interoperate with some of them (if you'd ever looked
  at Samba code you'd know what we sometimes have to
  do to work around Microsoft bugs).
  
  Yes, I sometimes screw up and write bad code, as does
  every software engineer I've ever worked with.
  
  With Open Source, you get to see such things in public,
  rather than being hidden. Even though this was my
  problem I know which way of developing code I prefer,
  and I've developed my share of proprietary code in
  my time...
  
  Jeremy Allison,
  Samba Team.
5. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 10:48 · Score: 4, Insightful
  
  Well I don't want to describe them as I don't want
  to give any crackers ideas on how to exploit them.
  
  Microsoft know and they are the only people who can
  do anything about it, it's *their* code, not mine
  
  Me describing the problem to you will make the problem
  worse, not better.
  
  If people find bugs in my code I want them to tell me
  and I fix them asap. If they are security related I
  want them to give me warning first before going public.
  
  This is what we have done with Microsoft, it's the
  responsible, professional thing to do. What gets done
  about it is *their* decision, not mine (or yours).
  
  Jeremy Allison,
  Samba Team.
6. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 11:28 · Score: 2, Informative
  
  No, we're not keeping them secret. Microsoft know, we
  told them. The flaws are in their code. If you had access
  to Microsoft source code and could fix them, I'd tell you.
  
  But you don't, that's the problem. All you could do is
  create mischief with the knowledge. I don't see why I have
  any professional obligations to help you with that.
  
  Jeremy Allison,
  Samba Team.
7. Re:Feature? by xchino · 2003-04-07 12:11 · Score: 3, Interesting
  
  So if I stuck an box on the net for you and opened up the necessary ports you'll crash it? I'm all for this, I'd like to make a snort rule for this attack.
  
  --
  Everyone is entitled to their own opinion. It's just that yours is stupid.
8. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 13:18 · Score: 2, Interesting
  
  Not irresponsible, I am just responding to an AC claim
  that Microsoft has no bugs that are this severe that have
  not been fixed for this long. I know this to be false. I
  don't really care if you believe me or not.
  
  Jeremy Allison,
  Samba Team.
9. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 17:32 · Score: 2, Informative
  
  There is *never* a good reason to release exploit code (IMHO).
  
  It only allows those with no talent (the script kiddies)
  to cause trouble for people trying to maintain systems.
  
  Inform the vendor, if the vendor does nothing, tell the
  world it is broken, demo your exploit to some journalists
  if you like.
  
  But releasing exploit code is the programming equivalent
  to leaving a pile of fully loaded weapons outside a school.
  
  Jeremy Allison,
  Samba Team.
10. Re:Feature? by Jeremy+Allison+-+Sam · 2003-04-07 17:48 · Score: 2, Interesting
  
  Crackers in the wild may be the primary motivation
  for fixing bugs by proprietary companies, but don't
  ascribe the same motivations to Open Source/Free
  Software developers.
  
  Imagine you were designing a bridge, but got it
  wrong. The bridge gets built, but you know a certain
  pattern of cars going accross in a certain order could
  cause it to collapse.
  
  Would you tell the local authority and accept the
  blame ? If you didn't, how could you sleep at night ?
  
  Jeremy Allison,
  Samba Team.
8 Years?? by MeanMF · 2003-04-07 09:51 · Score: 4, Funny

This sort of thing could never have happened if it was Open Source! Thousands of people would have reviewed the source code to make sure that there were no problems like this.

Oh wait...
1. Re:8 Years?? by Jeremy+Allison+-+Sam · 2003-04-07 10:00 · Score: 4, Informative
  
  Well security problems like this tend to come in pairs
  (I'm just hoping not in threes :-).
  
  Once one gets discovered then people look for others in
  the same project.
  
  The first one was found by a SuSE audit, and we went through
  and fixed all related code. This one was found 'in the wild'
  so to speak. I'm not sure how long the cracker community
  has known about this one.
  
  I'm to blame as both were in code I wrote a long time ago :-(.
  
  Jeremy Allison,
  Samba Team.
2. Re:8 Years?? by Jeremy+Allison+-+Sam · 2003-04-07 10:33 · Score: 3, Insightful
  
  So tell me when the last time was you sued Microsoft,
  Oracle or Sun for your losses in the real world and
  won any damages ?
  
  In Open Source you know who messed up. You have their
  email address and phone number. You have a basis for
  trust or not based on past reputation/performance.
  
  You have *no idea* who wrote any of the Microsoft code,
  or any other proprietary code - and no recourse to fix
  problems that cause you losses other than to beg the
  vendor for a fix.
  
  And you'd better ask nicely, in case you don't give
  them enough money.
  
  Good luck on getting your damages from Microsoft for
  the last virus outbreak, you're going to need it :-).
  
  Jeremy Allison,
  Samba Team.
3. Re:8 Years?? by Anonymous Coward · 2003-04-07 10:39 · Score: 2, Interesting
  
  This is why /. rocks.
  
  You see a story about a bug, and the author quickly replies "Ya, I coded this part. I missed this bug."
  
  Jeremy, congrats to you for having guts to stand up and admit fault. This kind of integrity is why open source is such a great movement.
Re:so... by Anonymous+Struct · 2003-04-07 09:53 · Score: 2, Insightful

The Samba site actually mentions that an active exploit is already out there. Hopefully most people are running Samba in hard-to-reach places, but this definitely is a large problem. This is one I wouldn't let slide for more than oh, say... the next 30 minutes.
Re:Raining Open Source bugs? by jb_02_98 · 2003-04-07 10:12 · Score: 2, Insightful

I think its a good thing. Instead of these bugs being found by the "wrong" people these are found and fixed before anyone can mess up production systems. This, if anything, shows the strength of OSS. It gets fixed quickly.
Re:Raining Open Source bugs? by questionlp · 2003-04-07 10:14 · Score: 3, Informative

I think it's better that these bugs are found, publicized and patched in a professional manner (like Samba, Sendmail, etc.) then see a company sit on an exploit for a while and state that their products are unbreakable (Oracle) or secure (Microsoft)... even if it's a bug a day. So long as it's fixed, people are notified about it.

As far as people patching them, that's another topic altogether.

Almost every software has bugs... be it disclosed or not disclosed.
Re:Don't worry guys! by Jeremy+Allison+-+Sam · 2003-04-07 10:25 · Score: 4, Informative

Actually I have been thinking about this very fact w.r.t.
these recent vulnerabilities.

The problem was that the written code *worked*, as in if
it was given well-formed SMB packets it behaved correctly,
even though it was in a little used part of the code.

Because it worked 'out of the box' as it were, with
Windows clients there was little reason to examine it.

It's code that has a problem that gets looked at first.

I'm not trying to absolve myself of blame, after all, I
wrote the buggy code, but there was a reason that no one
needed to look at it for 8 years or so.

Jeremy Allison,
Samba Team.
I definitly "had a case of the mondays"!@! by caffeinex36 · 2003-04-07 10:25 · Score: 3, Funny

"Did you plan to spend your Monday upgrading to Samba 2.2.8a?"

No, I spent monday yelling at people trying to explain to them "WHY" they need to updgrade. Dumb S.A.'s.

Low and behold an intern sysadmin tells me "Looks like someone has a case of the mondays!"

...It's ok...just wait until he sees me put his pink slip in his /root

/end monday rant
Rob
Re:Mac OS X? by Jeremy+Allison+-+Sam · 2003-04-07 10:52 · Score: 3, Informative

Yes, Apple are working on this. I ported the fix to
their codebase this morning and mailed it to them.

Jeremy Allison,
Samba Team.
Err by bedouin · 2003-04-07 11:02 · Score: 2, Funny

Rebuilding this for a second time this week on a 25mhz machine almost makes me want to upgrade to a faster CPU.
Re:Don't worry guys! by zulux · 2003-04-07 11:13 · Score: 4, Funny

Here's Hoping the Modierators don't
actually read this closely. See, there's
this dude named Jeremy Allison, one of the
nice people who writes code for Samba.

I've used Samba for years - I've used
to replace or prevent about 20 Microsft
Windows Instalations over the last few years.

But by mimicking Jeremy's layout style
and putting his .sig at the bottom of
this post - I just might get some undeserved
Karma.

Let's see if it works.

Jeremy Allison,
Samba Team.

--
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Re:Code auditing by Jeremy+Allison+-+Sam · 2003-04-07 11:21 · Score: 3, Insightful

Well, as I posted above, I think the reason no one
looked at the code is because it worked as written
with the most common clients (Microsoft ones).

We, the Linux vendors and just about everyone else
who uses Samba audits the code regularly, but this
one got missed by everyone but the bad guys. Sometimes
that happens. Life just *sucks* sometimes.

Everytime we get a problem we always go through and
look for instances of this class of problem (that's
how I spent my weekend) but I'm afraid no code is
perfect.

Jeremy Allison,
Samba Team.
Features are also important by buchanmilne · 2003-04-07 11:33 · Score: 2, Interesting

I can only speak for myself, but I'd much prefer the Samba team to pore over the code looking for more bugs like this, than adding catch-up-with-the-gateses features like NT Domain Controller support which are largely irrelevant.

Some of the recent features (BDC support via LDAP, good domain membership via winbind) are the only things that allow people to run a more secure SMB server than Windows. Without those features, we would have to cave in and run something that has them. If samba did not have domain controlling support, we would likely not be running any linux boxen now, whereas most of our servers do at present.

The Unix philosophy is to do one thing, and do it well, and Samba already does this. If we want central authentication, we have a host of packages we can already choose from.

Anything that can *really* compete with AD and NDS? I think not (and yes, we run LDAP, including samba backended on LDAP, and are implementing kerberos).
Re:Code auditing by J.+J.+Ramsey · 2003-04-07 11:34 · Score: 3, Insightful

"What ever happened to many eyes auditing the code?"

Open source provides the opportunity for many eyes to audit the code. It does not guarantee that it will happen.
On the bright side, if Samba weren't open source, we might never have found this problem at all, and the fix would not have come so soon after the flaw was discovered.
Re:No kidding by Jeremy+Allison+-+Sam · 2003-04-07 11:52 · Score: 3, Insightful

We had a fix within 1 hour of the problem being
reported, and that was mainly due to mail propagation
delays from Australia ! We had to co-ordinate the
release with all the Samba vendors, that's what took
the time.

Your point about code auditing is incorrect. No company
pays the sort of money needed to do the amount of code
auditing a major OSS project gets *for free* by the
vendor community. Yes, they could do this, but proprietary
software companies simply don't spend the money on engineering
resources to be used in this way. Not even Microsoft.

Jeremy Allison,
Samba Team.
Not being connected to the Internet isn't security by LightStruk · 2003-04-07 11:58 · Score: 2, Informative

would anyone connect a Samba server directly to the internet anyway? This is only an exploit of stupidity, of which there are many.
You're really missing the point. Many universities (like the one I attend) use Samba to provide network file serving to the campus, and those servers definitely aren't connected directly to the internet. The NetBios ports are blocked at the firewall anyway, to protect students on campus with blank Administrator passwords.
The problem is that there are 20,000 different people with access to these servers, both administrative and student, and you really can't trust all of them not to try to r00t your b0>.
Whoa! by truesaer · 2003-04-07 12:01 · Score: 4, Funny

At level 4 and higher messages only, I count 43 mod points for Jeremy Allison.
Conspiracy theory: He created this bug because he's a karma whore!! :)
1. Re:Whoa! by Jeremy+Allison+-+Sam · 2003-04-07 12:08 · Score: 4, Funny
  
  Oh no - you've discovered my secret. And it took
  8 years to come to fruition.....
  
  Now I'll have to kill you :-).
  
  Jeremy.
There's a difference by roesti · 2003-04-07 12:48 · Score: 2, Funny

If this had been a bug for a MS product, you'd be slamming MS hard. But now all I see is a mountain of whiny, hypocritical comments when it is in the non-MS camp.

Well, there is actually a difference.

It might have taken eight years for someone to notice the bug and release a security advisory. However, once that was done, it only took the developers a week to release a patch.

Had it been in a Microsoft product, it would have taken a week to get a security advisory, and eight years to get the patch.

--
Attack its weak point for massive damage!
Re:No kidding by MeanMF · 2003-04-07 13:30 · Score: 2, Interesting

We had a fix within 1 hour of the problem being reported, and that was mainly due to mail propagation delays from Australia ! We had to co-ordinate the release with all the Samba vendors, that's what took the time.

I'm not sure it really matters why the delay occurred - maybe that's something to work on for next time. Even if the fix could not be released immediately, it may have been a good idea to alert people that a problem existed so they could take additional precautions while the coordination efforts were taking place.

No company pays the sort of money needed to do the amount of code auditing a major OSS project gets *for free* by the vendor community

Releasing the source does not guarantee that anybody will actually perform a code audit. Neither does writing proprietary code. I don't claim like you do to know if they do so or not, but companies like Microsoft certainly have the resources to hire people to do audits and security reviews if they want to. This is more than most OSS projects can say.

Maybe you could set up a system so that the people in the community who you say are doing these reviews for free could document what parts of the code they have reviewed. That way we would know what parts have been looked at the most or least, and look at the track record of the people doing the reviews.
Wow by Zorton · 2003-04-07 13:56 · Score: 4, Interesting

I think the thing that intrests me the most about this bug is how it was found. Does anyone have more information on what brought this bug to light?

In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.

Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.

No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money :)

Zorton
btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know :) I would be curious if it's a configuration problem (although tech support dosen't seem to think so) or a real bug.