[Samba] CVE-2008-1105 - clarification request

Gerald (Jerry) Carter jerry at samba.org
Fri Jun 6 19:41:23 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gustavo Homem wrote:
> On Friday 06 June 2008 19:49, Gerald (Jerry) Carter wrote:
>> Gustavo Homem wrote:
>>> Hi,
>>>
>>> The announcement states:
>>>
>>> "Secunia Research reported a vulnerability that allows for
>>> the execution of arbitrary code in smbd"
>>>
>>> Does this means arbitrary code executed "as root" ou as the user that is
>>> authenticaded after smdb drops privilegies?
>> Potentially either.  smbd never drops privileges and can always
>> re-become root.
> 
> Are you sure about this?
>
>      ├─smbd─┬─2*[smbd]
>      │      ├─smbd(gustavo)
>      │      └─smbd(asdrubal)
>
> From pstree I allways see an smbd process for each user mount.

Yeah.  I'm sure.  :-)  We change to the effective id of the
user to perform certain operations.  And then changes back
to root when done (with some optimizations to minimize the
number of security context switches).

> 
> What I want to know is if the vulnerable call is run as the local user or 
> root.

Potentially either.  Treat this as a potential remote root
code execution although I've only seen PoC code for clients.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFISZLjIR7qMdg1EfYRAjorAJsEhefQQvefNMjyp2VEIM2IIoC3IgCgkS3D
+TVoM9qYcepX+1evg+kK18w=
=yaF3
-----END PGP SIGNATURE-----


More information about the samba mailing list