[WIP][PATCH] make exploiting Samba harder: talloc, FD_CLOEXEC, remove LIBSMB_PROG

Andrew Bartlett abartlet at samba.org
Mon Dec 19 22:39:45 UTC 2016

On Tue, 2016-12-13 at 15:16 +1300, Andrew Bartlett wrote:
> I've been looking at things like these:
> https://gist.github.com/worawit/051e881fc94fe4a49295
> https://blog.compass-security.com/wp-content/uploads/2012/07/sambaexp
> lo
> it_v1.0.pdf
> https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-20
> 15
> -0240/
> And as you know, I've been thinking about how to make life harder for
> the people who like to break things precious to me, like Samba.
> That is why we now harden the talloc magic, to make it much harder to
> overwrite a talloc object and reset the destructor. 
> Attached are some work-in-progress ideas towards this goal.  
> The talloc changes were foreshadowed with the talloc_for_exit()
> changes, but have security benefits on their own.  An attacker would
> need to find the parent of the object being overwritten, and set the
> HAS_DESTRUCTOR flag on it also, and any parents all the way up the
> chain.
> The smb_set_close_on_exec() changes should make it harder for
> exploits
> to use the connecting socket to control the server (require a reverse
> shell instead, but that is more fragile). 
> The removal of LIBSMB_PROG was prompted by noticing that sock_exec()
> is
> used only there, and was used in an exploit as a wrapper for
> system(),
> without the hardening that came from ASLR of libc. 
> I'm running some tests with these to check for unexpected issues.
> I know the talloc changes need some more tests.  Those are in the
> talloc_free_for_exit() changes and need to be split out. 
> Thoughts very welcome,

If there are no further thoughts on these patches, then I would like to
get some reviews and start pushing them to autobuild (with additional
talloc tests).  Please comment if you have any views on the above. 


Andrew Bartlett

More information about the samba-technical mailing list