[Samba] CVE-2008-4250?
Andrew Bartlett
abartlet at samba.org
Mon Jun 18 18:50:29 UTC 2018
On Mon, 2018-06-18 at 09:14 -0400, Leslie León via samba wrote:
> Good morning/day/night to all!
>
> After moving all my infrastructure to Debian9, changed my ADDC from
> Win2K12 to Samba4 scanning my network I found the following:
>
> --------------------------------------------------------------------------------------------------------------------------------
>
> koratsuki at happyharry:~$ nmap --script smb-vuln-ms08-067.nse -p445
> smb-addc.tld
>
> Starting Nmap 7.50 ( https://nmap.org ) at 2018-06-18 08:14 CDT
> Nmap scan report for smb-addc.tld
> Host is up (0.00073s latency).
>
> PORT STATE SERVICE
> 445/tcp open microsoft-ds
>
> Host script results:
> > smb-vuln-ms08-067:
> > VULNERABLE:
> > Microsoft Windows system vulnerable to remote code execution (MS08-067)
> > State: LIKELY VULNERABLE
> > IDs: CVE:CVE-2008-4250
> > The Server service in Microsoft Windows 2000 SP4, XP SP2 and
>
> SP3, Server 2003 SP1 and SP2,
> > Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows
>
> remote attackers to execute arbitrary
> > code via a crafted RPC request that triggers the overflow
>
> during path canonicalization.
> >
> > Disclosure date: 2008-10-23
> > References:
> > https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
> > _ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
>
> Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
>
> --------------------------------------------------------------------------------------------------------------------------------
>
> Now, I wonder... Why is happening that? That server is installed with
> samba 4.8.2, lastest stable release, Debian 9.4, and the compile chain is:
>
> ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
> --localstatedir=/var --enable-debug --enable-selftest --cross-answers
> --cross-execute --disable-cups --disable-iprint --sbindir=/usr/sbin
> --mandir=/usr/share/man -j4 --enable-selftest --without-systemd
>
> I´am doing something wrong or need more stuff in the smb.conf? The
> smb.conf is using the default config... Can someone point me on the
> right direction in order to fix this?
The implementation of the test in Nessus is incorrect.
Here are the two (yes, for silly reasons) implementations in Samba:
WERROR _srvsvc_NetPathCompare(struct pipes_struct *p,
struct srvsvc_NetPathCompare *r)
{
p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
/*
srvsvc_NetPathCompare
*/
static WERROR dcesrv_srvsvc_NetPathCompare(struct dcesrv_call_state
*dce_call, TALLOC_CTX *mem_ctx,
struct srvsvc_NetPathCompare *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
As you can see from
https://svn.nmap.org/nmap/scripts/smb-vuln-ms08-067.nse
Any fault code is assumed to mean a vulnerable server, the RNG_ERROR
(yet another way to say not implemented) included.
Hopefully this is enough to assist you, if you need to assuage an
auditor then I suggest submitting a patch implementing it.
This won't be hard, the clue is in the implementation note:
https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_116
<116>
Section 3.1.4.31: The server does a standard C string comparison on the
canonicalized path names and returns the result.
<117>
Section 3.1.4.31: No security restrictions are imposed by Windows-based
server implementations on the caller.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list