Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samba Exploit Discovered, Fixed

Posted by timothy on from the lickety-split-sortof dept.

An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?" elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."

24 of 221 comments (clear)

  1. Re:Okay everybody... by NanoGator · · Score: 4, Funny

    "Okay everybody... ... you know the drill. Pitchforks ready! "

    Whoah, slow down there buddy. We gotta check the list.

    -Microsoft? No.
    -RIAA/MPAA? No.
    -IBM? No.
    -Amazon? No.
    -TurboTax? No.

    Sorry, Samba's not on the list. Turn in your pitchfork for a song of praise.

    --
    "Derp de derp."
  2. Mondays? by raydobbs · · Score: 5, Funny

    I thought Monday was Patch Your Microsoft Server days... SAMBA is allowed Thursday, or was that...Wednesday...? I forget....

    1. Re:Mondays? by Lxy · · Score: 5, Funny

      I thought Monday was Patch Your Microsoft Server days

      Samba is just trying to emulate every aspect of a Windows server, including Windows patch Mondays.

      Yet another compatibility feature we can check off the list.

      --

      There is no reasonable defense against an idiot with an agenda
      :wq
  3. Already fixed in FreeBSD ports by dnaumov · · Score: 4, Informative

    A FreeBSD Security Advisory has been issued and the samba port has been updated to the fixed version:

    samba 2.2.8a
    Update 2.2.8 -> 2.2.8a.
    Submitted by: dwcjr (MAINTAINER)
    I already updated my installation 4 hours ago, the FreeBSD folk are fast :)

    This is what is fixed by the update:

    (1) Sebastian Krahmer of the SuSE Security Team identified
    vulnerabilities that could lead to arbitrary code execution as root,
    as well as a race condition that could allow overwriting of system
    files. (This vulnerability was previously fixed in Samba 2.2.8.)

    (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
    correctly, leads to an anonymous user gaining root access on a Samba
    serving system. All versions of Samba up to and including Samba 2.2.8
    are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
    vulnerable.''

  4. Feature? by Jonathan+the+Nerd · · Score: 5, Funny

    Well, Samba is supposed to make a Unix computer look and act like a Windows server, right? In that case, it could be argued that a remote root exploit is a feature.

    --
    Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
    1. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Interesting

      I could show you MS bugs that we've known about for
      more than 8 years.

      Yes, they crash your MS SMB server. Yes, we've told
      Microsoft about them.

      Microsoft don't always fix bugs if there are no active
      exploits against them and knowledge of them is limited.

      I guess they just trust that we don't release exploits :-).

      Jeremy Allison,
      Samba Team.

    2. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Interesting

      If you put one of your Windows servers on a network
      I had access to I would be able to show you. I will
      not release the code publicly (for obvious reasons).
      Knowledge of these bugs would allow worms/viruses to
      utterly cripple Microsoft based corporate networks.

      If you choose not to believe me without exploit code
      then that's up to you, but I will not act in an
      unprofessional way to prove a point.

      Jeremy Allison,
      Samba Team.

    3. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 3, Insightful

      No, I'm not a joke, just a software engineering professional.
      I have to catalogue Microsoft bugs as Samba has to
      interoperate with some of them (if you'd ever looked
      at Samba code you'd know what we sometimes have to
      do to work around Microsoft bugs).

      Yes, I sometimes screw up and write bad code, as does
      every software engineer I've ever worked with.

      With Open Source, you get to see such things in public,
      rather than being hidden. Even though this was my
      problem I know which way of developing code I prefer,
      and I've developed my share of proprietary code in
      my time...

      Jeremy Allison,
      Samba Team.

    4. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Insightful

      Well I don't want to describe them as I don't want
      to give any crackers ideas on how to exploit them.

      Microsoft know and they are the only people who can
      do anything about it, it's *their* code, not mine

      Me describing the problem to you will make the problem
      worse, not better.

      If people find bugs in my code I want them to tell me
      and I fix them asap. If they are security related I
      want them to give me warning first before going public.

      This is what we have done with Microsoft, it's the
      responsible, professional thing to do. What gets done
      about it is *their* decision, not mine (or yours).

      Jeremy Allison,
      Samba Team.

    5. Re:Feature? by xchino · · Score: 3, Interesting

      So if I stuck an box on the net for you and opened up the necessary ports you'll crash it? I'm all for this, I'd like to make a snort rule for this attack.

      --
      Everyone is entitled to their own opinion. It's just that yours is stupid.
  5. 8 Years?? by MeanMF · · Score: 4, Funny

    This sort of thing could never have happened if it was Open Source! Thousands of people would have reviewed the source code to make sure that there were no problems like this.

    Oh wait...

    1. Re:8 Years?? by Jeremy+Allison+-+Sam · · Score: 4, Informative

      Well security problems like this tend to come in pairs
      (I'm just hoping not in threes :-).

      Once one gets discovered then people look for others in
      the same project.

      The first one was found by a SuSE audit, and we went through
      and fixed all related code. This one was found 'in the wild'
      so to speak. I'm not sure how long the cracker community
      has known about this one.

      I'm to blame as both were in code I wrote a long time ago :-(.

      Jeremy Allison,
      Samba Team.

    2. Re:8 Years?? by Jeremy+Allison+-+Sam · · Score: 3, Insightful

      So tell me when the last time was you sued Microsoft,
      Oracle or Sun for your losses in the real world and
      won any damages ?

      In Open Source you know who messed up. You have their
      email address and phone number. You have a basis for
      trust or not based on past reputation/performance.

      You have *no idea* who wrote any of the Microsoft code,
      or any other proprietary code - and no recourse to fix
      problems that cause you losses other than to beg the
      vendor for a fix.

      And you'd better ask nicely, in case you don't give
      them enough money.

      Good luck on getting your damages from Microsoft for
      the last virus outbreak, you're going to need it :-).

      Jeremy Allison,
      Samba Team.

  6. Re:Raining Open Source bugs? by questionlp · · Score: 3, Informative

    I think it's better that these bugs are found, publicized and patched in a professional manner (like Samba, Sendmail, etc.) then see a company sit on an exploit for a while and state that their products are unbreakable (Oracle) or secure (Microsoft)... even if it's a bug a day. So long as it's fixed, people are notified about it.

    As far as people patching them, that's another topic altogether.

    Almost every software has bugs... be it disclosed or not disclosed.

  7. Re:Don't worry guys! by Jeremy+Allison+-+Sam · · Score: 4, Informative

    Actually I have been thinking about this very fact w.r.t.
    these recent vulnerabilities.

    The problem was that the written code *worked*, as in if
    it was given well-formed SMB packets it behaved correctly,
    even though it was in a little used part of the code.

    Because it worked 'out of the box' as it were, with
    Windows clients there was little reason to examine it.

    It's code that has a problem that gets looked at first.

    I'm not trying to absolve myself of blame, after all, I
    wrote the buggy code, but there was a reason that no one
    needed to look at it for 8 years or so.

    Jeremy Allison,
    Samba Team.

  8. I definitly "had a case of the mondays"!@! by caffeinex36 · · Score: 3, Funny

    "Did you plan to spend your Monday upgrading to Samba 2.2.8a?"


    No, I spent monday yelling at people trying to explain to them "WHY" they need to updgrade. Dumb S.A.'s.

    Low and behold an intern sysadmin tells me "Looks like someone has a case of the mondays!"

    ...It's ok...just wait until he sees me put his pink slip in his /root

    /end monday rant
    Rob

  9. Re:Mac OS X? by Jeremy+Allison+-+Sam · · Score: 3, Informative

    Yes, Apple are working on this. I ported the fix to
    their codebase this morning and mailed it to them.

    Jeremy Allison,
    Samba Team.

  10. Re:Don't worry guys! by zulux · · Score: 4, Funny

    Here's Hoping the Modierators don't
    actually read this closely. See, there's
    this dude named Jeremy Allison, one of the
    nice people who writes code for Samba.

    I've used Samba for years - I've used
    to replace or prevent about 20 Microsft
    Windows Instalations over the last few years.

    But by mimicking Jeremy's layout style
    and putting his .sig at the bottom of
    this post - I just might get some undeserved
    Karma.

    Let's see if it works.

    Jeremy Allison,
    Samba Team.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  11. Re:Code auditing by Jeremy+Allison+-+Sam · · Score: 3, Insightful

    Well, as I posted above, I think the reason no one
    looked at the code is because it worked as written
    with the most common clients (Microsoft ones).

    We, the Linux vendors and just about everyone else
    who uses Samba audits the code regularly, but this
    one got missed by everyone but the bad guys. Sometimes
    that happens. Life just *sucks* sometimes.

    Everytime we get a problem we always go through and
    look for instances of this class of problem (that's
    how I spent my weekend) but I'm afraid no code is
    perfect.

    Jeremy Allison,
    Samba Team.

  12. Re:Code auditing by J.+J.+Ramsey · · Score: 3, Insightful
    "What ever happened to many eyes auditing the code?"

    Open source provides the opportunity for many eyes to audit the code. It does not guarantee that it will happen.

    On the bright side, if Samba weren't open source, we might never have found this problem at all, and the fix would not have come so soon after the flaw was discovered.

  13. Re:No kidding by Jeremy+Allison+-+Sam · · Score: 3, Insightful

    We had a fix within 1 hour of the problem being
    reported, and that was mainly due to mail propagation
    delays from Australia ! We had to co-ordinate the
    release with all the Samba vendors, that's what took
    the time.

    Your point about code auditing is incorrect. No company
    pays the sort of money needed to do the amount of code
    auditing a major OSS project gets *for free* by the
    vendor community. Yes, they could do this, but proprietary
    software companies simply don't spend the money on engineering
    resources to be used in this way. Not even Microsoft.

    Jeremy Allison,
    Samba Team.

  14. Whoa! by truesaer · · Score: 4, Funny
    At level 4 and higher messages only, I count 43 mod points for Jeremy Allison.

    Conspiracy theory: He created this bug because he's a karma whore!! :)

    1. Re:Whoa! by Jeremy+Allison+-+Sam · · Score: 4, Funny

      Oh no - you've discovered my secret. And it took
      8 years to come to fruition.....

      Now I'll have to kill you :-).

      Jeremy.

  15. Wow by Zorton · · Score: 4, Interesting

    I think the thing that intrests me the most about this bug is how it was found. Does anyone have more information on what brought this bug to light?

    In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.

    Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.

    No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money :)

    Zorton
    btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know :) I would be curious if it's a configuration problem (although tech support dosen't seem to think so) or a real bug.