[WIP][PATCH] make exploiting Samba harder: talloc, FD_CLOEXEC, remove LIBSMB_PROG

Andrew Bartlett abartlet at samba.org
Tue Dec 13 02:16:37 UTC 2016 

I've been looking at things like these:

https://gist.github.com/worawit/051e881fc94fe4a49295

https://blog.compass-security.com/wp-content/uploads/2012/07/sambaexplo
it_v1.0.pdf

https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015
-0240/

And as you know, I've been thinking about how to make life harder for
the people who like to break things precious to me, like Samba.

That is why we now harden the talloc magic, to make it much harder to
overwrite a talloc object and reset the destructor. 

Attached are some work-in-progress ideas towards this goal.  

The talloc changes were foreshadowed with the talloc_for_exit()
changes, but have security benefits on their own.  An attacker would
need to find the parent of the object being overwritten, and set the
HAS_DESTRUCTOR flag on it also, and any parents all the way up the
chain.

The smb_set_close_on_exec() changes should make it harder for exploits
to use the connecting socket to control the server (require a reverse
shell instead, but that is more fragile). 

The removal of LIBSMB_PROG was prompted by noticing that sock_exec() is
used only there, and was used in an exploit as a wrapper for system(),
without the hardening that came from ASLR of libc. 

I'm running some tests with these to check for unexpected issues.

I know the talloc changes need some more tests.  Those are in the
talloc_free_for_exit() changes and need to be split out. 

Thoughts very welcome,

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-libsmb-Remove-LIBSMB_PROG.patch
Type: text/x-patch
Size: 7249 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0001-s3-libsmb-Remove-LIBSMB_PROG-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-smbd-Set-FD_CLOEXEC-on-our-main-FD.patch
Type: text/x-patch
Size: 1530 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0002-s3-smbd-Set-FD_CLOEXEC-on-our-main-FD-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s4-socket-Set-FD_CLOEXEC-on-our-main-FD.patch
Type: text/x-patch
Size: 1604 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0003-s4-socket-Set-FD_CLOEXEC-on-our-main-FD-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-talloc-Improve-test_magic_protection-testsuite.patch
Type: text/x-patch
Size: 2300 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0004-talloc-Improve-test_magic_protection-testsuite-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-talloc-Set-TALLOC_FLAG_HAS_DESTRUCTOR-on-parents-whe.patch
Type: text/x-patch
Size: 2638 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0005-talloc-Set-TALLOC_FLAG_HAS_DESTRUCTOR-on-parents-whe-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-talloc-Only-call-talloc-destructors-when-TALLOC_FLAG.patch
Type: text/x-patch
Size: 5446 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0006-talloc-Only-call-talloc-destructors-when-TALLOC_FLAG-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-talloc-Remove-talloc_abort_unknown_value-consolidate.patch
Type: text/x-patch
Size: 2024 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/06fd8bc8/0007-talloc-Remove-talloc_abort_unknown_value-consolidate-0001.bin>

More information about the samba-technical mailing list