[Samba] Possible SMBd Remote File Creation Vulnerability again?

[Clint Sharp]

On Sun, 2004-04-04 at 23:15, Ignacio Bustamante wrote:
> Hi,
> 
> Five days ago (2004/03/31) someone was able to obtain a list of *all* the 
> unix user names of my machine (a Redhat 9 w/ latest patches) and then 
> started trying to log as a samba user (about 400 tries per user name). Upon 
> noticing this strange behavior I immediately proceeded to block all ports 
> related to samba, and to put the story short, fortunately or should I say 
> hopefully the individual trying to get entry was not able to log into my 
> machine according to other logs.
> 
> Later on while searching the Internet  for information on this problem, 
> came upon the "SMBd Remote File Creation Vulnerability" published on the 
> year 2001, and referring to samba versions 2.0.7 and 2.0.8.,.. Well this is 
> year 2004, and I am using version "2.2.7a-security-rollup-fix.", could this 
> mean that this vulnerability either was never fixed or that it is present 
> again? any info will be appreciated
> 
> BTW, Just, in case I applied temporary fix suggested on the 2001 
> information, by changing the log name from "%m.log" to "log.%m"
> 
> Thanks in advance
> 
> --Ignacio

A copy of your smb.conf would have helped.  Do you have a guest account
enabled on your samba config?  It sounds like someone was able to
enumerate your userlist, which would require access to the IPC$ share,
which any user who could authenticate (even guest) should be able to
do.  I'd highly recommend as a general practice not exposing SMB or CIFS
shares to the Internet or an untrusted network, as even though Samba is
more secure than say Windows, it's still just not a good idea unless
there's a legitimate justification for it.  Even so, SFTP or some other
more secure file transfer mechanism would be a better option (or if
there are trusted users on the Internet, have them tunnel the SMB
traffic through SSH or an IPSEC tunnel).

Clint