Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samba Exploit Discovered, Fixed

Posted by timothy on from the lickety-split-sortof dept.

An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?" elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."

15 of 221 comments (clear)

  1. Re:Okay everybody... by NanoGator · · Score: 4, Funny

    "Okay everybody... ... you know the drill. Pitchforks ready! "

    Whoah, slow down there buddy. We gotta check the list.

    -Microsoft? No.
    -RIAA/MPAA? No.
    -IBM? No.
    -Amazon? No.
    -TurboTax? No.

    Sorry, Samba's not on the list. Turn in your pitchfork for a song of praise.

    --
    "Derp de derp."
  2. Mondays? by raydobbs · · Score: 5, Funny

    I thought Monday was Patch Your Microsoft Server days... SAMBA is allowed Thursday, or was that...Wednesday...? I forget....

    1. Re:Mondays? by Lxy · · Score: 5, Funny

      I thought Monday was Patch Your Microsoft Server days

      Samba is just trying to emulate every aspect of a Windows server, including Windows patch Mondays.

      Yet another compatibility feature we can check off the list.

      --

      There is no reasonable defense against an idiot with an agenda
      :wq
  3. Already fixed in FreeBSD ports by dnaumov · · Score: 4, Informative

    A FreeBSD Security Advisory has been issued and the samba port has been updated to the fixed version:

    samba 2.2.8a
    Update 2.2.8 -> 2.2.8a.
    Submitted by: dwcjr (MAINTAINER)
    I already updated my installation 4 hours ago, the FreeBSD folk are fast :)

    This is what is fixed by the update:

    (1) Sebastian Krahmer of the SuSE Security Team identified
    vulnerabilities that could lead to arbitrary code execution as root,
    as well as a race condition that could allow overwriting of system
    files. (This vulnerability was previously fixed in Samba 2.2.8.)

    (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
    correctly, leads to an anonymous user gaining root access on a Samba
    serving system. All versions of Samba up to and including Samba 2.2.8
    are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
    vulnerable.''

  4. Feature? by Jonathan+the+Nerd · · Score: 5, Funny

    Well, Samba is supposed to make a Unix computer look and act like a Windows server, right? In that case, it could be argued that a remote root exploit is a feature.

    --
    Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
    1. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Interesting

      I could show you MS bugs that we've known about for
      more than 8 years.

      Yes, they crash your MS SMB server. Yes, we've told
      Microsoft about them.

      Microsoft don't always fix bugs if there are no active
      exploits against them and knowledge of them is limited.

      I guess they just trust that we don't release exploits :-).

      Jeremy Allison,
      Samba Team.

    2. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Interesting

      If you put one of your Windows servers on a network
      I had access to I would be able to show you. I will
      not release the code publicly (for obvious reasons).
      Knowledge of these bugs would allow worms/viruses to
      utterly cripple Microsoft based corporate networks.

      If you choose not to believe me without exploit code
      then that's up to you, but I will not act in an
      unprofessional way to prove a point.

      Jeremy Allison,
      Samba Team.

    3. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Insightful

      Well I don't want to describe them as I don't want
      to give any crackers ideas on how to exploit them.

      Microsoft know and they are the only people who can
      do anything about it, it's *their* code, not mine

      Me describing the problem to you will make the problem
      worse, not better.

      If people find bugs in my code I want them to tell me
      and I fix them asap. If they are security related I
      want them to give me warning first before going public.

      This is what we have done with Microsoft, it's the
      responsible, professional thing to do. What gets done
      about it is *their* decision, not mine (or yours).

      Jeremy Allison,
      Samba Team.

  5. 8 Years?? by MeanMF · · Score: 4, Funny

    This sort of thing could never have happened if it was Open Source! Thousands of people would have reviewed the source code to make sure that there were no problems like this.

    Oh wait...

    1. Re:8 Years?? by Jeremy+Allison+-+Sam · · Score: 4, Informative

      Well security problems like this tend to come in pairs
      (I'm just hoping not in threes :-).

      Once one gets discovered then people look for others in
      the same project.

      The first one was found by a SuSE audit, and we went through
      and fixed all related code. This one was found 'in the wild'
      so to speak. I'm not sure how long the cracker community
      has known about this one.

      I'm to blame as both were in code I wrote a long time ago :-(.

      Jeremy Allison,
      Samba Team.

  6. Re:Don't worry guys! by Jeremy+Allison+-+Sam · · Score: 4, Informative

    Actually I have been thinking about this very fact w.r.t.
    these recent vulnerabilities.

    The problem was that the written code *worked*, as in if
    it was given well-formed SMB packets it behaved correctly,
    even though it was in a little used part of the code.

    Because it worked 'out of the box' as it were, with
    Windows clients there was little reason to examine it.

    It's code that has a problem that gets looked at first.

    I'm not trying to absolve myself of blame, after all, I
    wrote the buggy code, but there was a reason that no one
    needed to look at it for 8 years or so.

    Jeremy Allison,
    Samba Team.

  7. Re:Don't worry guys! by zulux · · Score: 4, Funny

    Here's Hoping the Modierators don't
    actually read this closely. See, there's
    this dude named Jeremy Allison, one of the
    nice people who writes code for Samba.

    I've used Samba for years - I've used
    to replace or prevent about 20 Microsft
    Windows Instalations over the last few years.

    But by mimicking Jeremy's layout style
    and putting his .sig at the bottom of
    this post - I just might get some undeserved
    Karma.

    Let's see if it works.

    Jeremy Allison,
    Samba Team.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  8. Whoa! by truesaer · · Score: 4, Funny
    At level 4 and higher messages only, I count 43 mod points for Jeremy Allison.

    Conspiracy theory: He created this bug because he's a karma whore!! :)

    1. Re:Whoa! by Jeremy+Allison+-+Sam · · Score: 4, Funny

      Oh no - you've discovered my secret. And it took
      8 years to come to fruition.....

      Now I'll have to kill you :-).

      Jeremy.

  9. Wow by Zorton · · Score: 4, Interesting

    I think the thing that intrests me the most about this bug is how it was found. Does anyone have more information on what brought this bug to light?

    In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.

    Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.

    No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money :)

    Zorton
    btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know :) I would be curious if it's a configuration problem (although tech support dosen't seem to think so) or a real bug.