URGENT: Samba security hole

Andrew Tridgell tridge at valinux.com
Sat Jun 23 00:26:20 GMT 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		IMPORTANT: Security bugfix for Samba
		------------------------------------

June 23rd 2001


Summary
- -------

A serious security hole has been discovered in all versions of Samba
that allows an attacker to gain root access on the target machine for
certain types of common Samba configuration.

The immediate fix is to edit your smb.conf configuration file and
remove all occurances of the macro "%m". Replacing occurances of %m
with %I is probably the best solution for most sites.

Details
- -------

A remote attacker can use a netbios name containing unix path
characters which will then be substituted into the %m macro wherever
it occurs in smb.conf. This can be used to cause Samba to create a log
file on top of an important system file, which in turn can be used to
compromise security on the server.

The most commonly used configuration option that can be vulnerable to
this attack is the "log file" option. The default value for this
option is VARDIR/log.smbd. If the default is used then Samba is not
vulnerable to this attack.

The security hole occurs when a log file option like the following is
used:

  log file = /var/log/samba/%m.log

In that case the attacker can use a locally created symbolic link to
overwrite any file on the system. This requires local access to the
server.

If your Samba configuration has something like the following:

  log file = /var/log/samba/%m

Then the attacker could successfully compromise your server remotely
as no symbolic link is required. This type of configuration is very
rare.

The most commonly used log file configuration containing %m is the one
distributed in the sample configuration file that comes with Samba:

  log file = /var/log/samba/log.%m

in that case your machine is not vulnerable to this attack unless you
happen to have a subdirectory in /var/log/samba/ which starts with the
prefix "log."

New Release
- -----------

While we recommend that vulnerable sites immediately change their
smb.conf configuration file to prevent the attack we will also be
making new releases of Samba within the next 24 hours to properly fix
the problem. Please see http://www.samba.org/ for the new releases.

Please report any attacks to the appropriate authority.

	The Samba Team
	security at samba.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE7M+Gobf9zMVhTZ5ERAoVvAJ9CX93rSHbEyPD95mS3C5XaQXx5RgCfeOIx
bKPS2xD1L8C0mlr6y5i8uBo=
=M/K7
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list