[Security Problem] --with-tdbsam
Yasuma Takeda
yasuma at miraclelinux.com
Mon Jul 1 05:42:02 GMT 2002
In Samba-JP, "buffer overflow" problem was reported.
If samba is configured with "--with-tdbsam", init_sam_from_buffer function
contains a buffer overflow vulnerability.
In a certain case, user can use this vulnerability by changing his password.
Please examine this security problem and take measures to be necessary.
vulnerable version
2.2.3, 2.2.3a, 2.2.4, 2.2.5
-------------- CUT HERE ---------------------------
diff -uNr samba-2.2.5.orig/source/passdb/pdb_tdb.c samba-2.2.5/source/passdb/pdb_tdb.c
--- samba-2.2.5.orig/source/passdb/pdb_tdb.c Fri May 3 10:03:27 2002
+++ samba-2.2.5/source/passdb/pdb_tdb.c Mon Jul 1 18:58:05 2002
@@ -81,6 +81,7 @@
static uint8 *lm_pw_ptr, *nt_pw_ptr;
uint32 len = 0;
uint32 lmpwlen, ntpwlen, hourslen;
+ pstring cvt_buf;
BOOL ret = True;
BOOL setflag;
struct passwd *pw;
@@ -160,9 +161,10 @@
if (homedir) setflag = True;
else {
setflag = False;
- homedir = strdup(lp_logon_home());
+ pstrcpy(cvt_buf, lp_logon_home());
+ standard_sub_advanced(-1, username, "", gid, cvt_buf);
+ homedir = strdup(cvt_buf);
if(!homedir) { ret = False; goto done; }
- standard_sub_advanced(-1, username, "", gid, homedir);
DEBUG(5,("Home directory set back to %s\n", homedir));
}
pdb_set_homedir(sampass, homedir, setflag);
@@ -170,9 +172,10 @@
if (dir_drive) setflag = True;
else {
setflag = False;
- dir_drive = strdup(lp_logon_drive());
+ pstrcpy(cvt_buf, lp_logon_drive());
+ standard_sub_advanced(-1, username, "", gid, cvt_buf);
+ dir_drive = strdup(cvt_buf);
if(!dir_drive) { ret = False; goto done; }
- standard_sub_advanced(-1, username, "", gid, dir_drive);
DEBUG(5,("Home directory set back to %s\n", dir_drive));
}
pdb_set_dir_drive(sampass, dir_drive, setflag);
@@ -180,9 +183,10 @@
if (logon_script) setflag = True;
else {
setflag = False;
- logon_script = strdup(lp_logon_script());
+ pstrcpy(cvt_buf, lp_logon_script());
+ standard_sub_advanced(-1, username, "", gid, cvt_buf);
+ logon_script = strdup(cvt_buf);
if(!logon_script) { ret = False; goto done; }
- standard_sub_advanced(-1, username, "", gid, logon_script);
DEBUG(5,("Home directory set back to %s\n", logon_script));
}
pdb_set_logon_script(sampass, logon_script, setflag);
@@ -190,9 +194,10 @@
if (profile_path) setflag = True;
else {
setflag = False;
- profile_path = strdup(lp_logon_path());
+ pstrcpy(cvt_buf, lp_logon_path());
+ standard_sub_advanced(-1, username, "", gid, cvt_buf);
+ profile_path = strdup(cvt_buf);
if(!profile_path) { ret = False; goto done; }
- standard_sub_advanced(-1, username, "", gid, profile_path);
DEBUG(5,("Home directory set back to %s\n", profile_path));
}
pdb_set_profile_path(sampass, profile_path, setflag);
------------- END ------------
Regards,
Yasuma Takeda
More information about the samba-technical
mailing list