Samba 2.0.7 SWAT vulnerabilities (fwd)

jeremy at valinux.com jeremy at valinux.com
Wed Nov 1 02:53:41 GMT 2000 

On Tue, Oct 31, 2000 at 10:24:14AM -0800, miah wrote:
> 
> You guys really need a "security at samba.org" contact.
> 
> -miah
> 
> ******************************************************************************
> the original writeup can be found at http://www.uberhax0r.net/~miah/swat
> along with all the code mentioned in this advisory
> ******************************************************************************
> 
> The program swat included in the samba distribution allows username and
> password bruteforcing. An attacker can easily generate userlists and then
> bruteforce their passwords. Comments in the source code show that somebody
> tried to prevent this from happening[1].

First of all - the CGI logging code is not turned on,
no distribution of Samba turns it on.

Yes it is broken, but it is *so* broken a better fix would
be to just remove it  altogether, not use the fix given (which
Andrew has already pointed out introduces a race condition).

Failed auth logging should be done to syslog, and I'll
make sure this goes into the 2.2 version of SWAT. I'll
also just remove the CGI logging code.

As for the "username/password bruteforcing" - so 
does telnet ! Anything that does remote auth allows
username/password pairs to be remotely tested. An
easier attack would be to code up a special version
of smbclient that does multiple ssessionsetupandX
calls - look - that works against all SMB servers !

SWAT can be protected using ssl wrappers like stunnel
and also obeys the hosts allow/hosts deny smb.conf
parameters. This is a better fix.

This is not a panic fix bug report. The only annoying thing
is the difference in return for valid/invalid usernames
which would allow valid usernames to be determined
remotely. That's due to the Get_Pwnam call done in one
code path and not another which is easily fixed (I'll post
a quick patch for that later this week - I'm in DC at the
moment with poor net access).

The idea for a security at samba.org is a very good one
though, I'll get to that once I'm back.

In the words of the HitchHikers Guide to the Galaxy,
"DON'T PANIC" - especially over this so called "exploit"
which requires the hacker to persuade the Samba admin to
change source code and recompile and re-install swat
before the "root" exploit is permissable. I the hacker
can get the admin to do that I can think of easier "root"
attempts. I won't repeat what Andrew said about this
report :-) :-) :-).

Cheers,

		Jeremy Allison,
		Samba TEam.

More information about the samba mailing list