[Samba] Possible SMBd Remote File Creation Vulnerability again?
clint at typhoon.org
Mon Apr 5 06:42:23 GMT 2004
On Sun, 2004-04-04 at 23:15, Ignacio Bustamante wrote:
> Five days ago (2004/03/31) someone was able to obtain a list of *all* the
> unix user names of my machine (a Redhat 9 w/ latest patches) and then
> started trying to log as a samba user (about 400 tries per user name). Upon
> noticing this strange behavior I immediately proceeded to block all ports
> related to samba, and to put the story short, fortunately or should I say
> hopefully the individual trying to get entry was not able to log into my
> machine according to other logs.
> Later on while searching the Internet for information on this problem,
> came upon the "SMBd Remote File Creation Vulnerability" published on the
> year 2001, and referring to samba versions 2.0.7 and 2.0.8.,.. Well this is
> year 2004, and I am using version "2.2.7a-security-rollup-fix.", could this
> mean that this vulnerability either was never fixed or that it is present
> again? any info will be appreciated
> BTW, Just, in case I applied temporary fix suggested on the 2001
> information, by changing the log name from "%m.log" to "log.%m"
> Thanks in advance
A copy of your smb.conf would have helped. Do you have a guest account
enabled on your samba config? It sounds like someone was able to
enumerate your userlist, which would require access to the IPC$ share,
which any user who could authenticate (even guest) should be able to
do. I'd highly recommend as a general practice not exposing SMB or CIFS
shares to the Internet or an untrusted network, as even though Samba is
more secure than say Windows, it's still just not a good idea unless
there's a legitimate justification for it. Even so, SFTP or some other
more secure file transfer mechanism would be a better option (or if
there are trusted users on the Internet, have them tunnel the SMB
traffic through SSH or an IPSEC tunnel).
More information about the samba