Fw: Samba Security breach ?

Ron Alexander rcalex at home.com
Wed Jan 3 12:27:28 GMT 2001 

I am forwarding this as the original author seems to have discovered 2 bugs
in smbpasswd (it has no way to overrride the smb.conf and it uses the
hostname as netbios name)


"Jim van Keulen" <jim at cs.vu.nl> wrote in message
news:<92utha$6jn at cs.vu.nl>...
> Summary:
>
> Security breach in Samba? Possible to access a share with owners
permissions
> while not logged onto domain as owner.
>
> Operating system:  Solaris 2.8
> Samba version:     Samba 2.0.7
> Compiler:          gcc 2.95.2 19991024 (release)
>
>
> Background information
>
> We have a mixed NT and Solaris environment for staff and students. The NT
> workstations are in one of the domains domA and domB. domA and domB have a
> mutual trust relation. Staff members have NT accounts. Students do not
have
> a NT account, but can use the NT systems as the generic user student. When
> student logs on (into domain domB) a logon script is started that asks for
a
> UNIX user name and password and tries to connect the user with his/her
home
> directory on a Samba server. If this does not succeed, the user is logged
> off again, otherwise the user can use the system. Note that the user is
> logged on into the domain domB under the name student. Student is not a
UNIX
> user name. On the Samba servers we have security = user and encrypt
> passwords = no. On the NT systems we have set the relevant registry entry
to
> force unencrypted passwords.
>
>
> An Expiriment with a (dual headed) Samba server in the domain
>
> I wanted to expiriment with a Samba server, named mistral as member of a
> domain. But I also wanted to keep the existing functionality under the
> wellknown old name mistral. So I decided to use the 'split personality'
> feature of Samba, where the behaviour of the Samba server depends on the
> name you call it with. I therefore included in the config file
> /local/samba/lib/mistral.cf the lines
>
> workgroup = domA
> netbios name = mistral_X
> netbios aliases = mistral
> include = /local/samba/lib/%L.sec
>
> The file /local/samba/lib/mistral.sec contains the lines
>
> security = user
> encrypt passwords = no
>
> while /local/samba/lib/mistral_X.sec contains
>
> security = domain
> password server = PDC
> encrypt passwords = yes
>
> Note that the netbios name is different from the hostname. I now tried to
> let mistral_X join the domain domA. In this process I discovered a bug in
> smbpasswd. Smbpasswd does not read the netbios name from the config-file.
It
> always sets the netbios name to be identical to the hostname. Also there
is
> no possibility to have smbpasswd use another config file then the one
> compiled in. I therefore decided to alter smbpasswd with the possibility
to
> give the netbios name on the command line. This seemed to work, mistral_X
> was succesfully added to the domain domA.
>
> I was now able to login in the domain domA as user jdoe and connect to
> mistral_X as user jdoe with all the permissions of Unix user jdoe. Also
the
> behaviour of mistral seemed the same as before. It was possible to connect
> with user name and password.
>
>
> Security Breach
>
> I now logged off and immediately there after logged on as user student in
> the domain domB. I entered the name jim and the relevant password to
satisfy
> the logon script. I was connected to the Samba share on the system top,
> where jim's home directory is located. No connection was made at this
point
> with mistral or mistral_X. I now tried to browse machine mistral_X which
> went well. And after that  the share jdoe on mistral_X. I was amazed to
> find that I now could access all folders jdoe could, create new folders,
> delete files. Files I created were created with owner jdoe. Samba
considered
> me to be jdoe while I was logged onto the domain as user student, which
was
> mapped to nobody on UNIX.
>
> In the log files I see that I connect with the Samba server as Windows
user
> student mapped to the UNIX user nobody. But when I connected with the
share
> jdoe I was suddenly considered to be jdoe. Apparantly the connection with
the
> share had not been closed when I logged off as jdoe.
>
> When I created a Unix user student everything behaved like normal. I could
> not access share jdoe. It seems to me that there is a bug in the Samba
> source somewhere where the mapping from student to nobody is being done.
> I have looked at the code, but is is not easy to comprehend what is going
> on.

More information about the samba-technical mailing list