[Samba] CVE-2008-1105 - clarification request

Fri Jun 6 19:49:36 GMT 2008

On Friday 06 June 2008 20:41, Gerald (Jerry) Carter wrote:
> Gustavo Homem wrote:
> > On Friday 06 June 2008 19:49, Gerald (Jerry) Carter wrote:
> >> Gustavo Homem wrote:
> >>> Hi,
> >>>
> >>> The announcement states:
> >>>
> >>> "Secunia Research reported a vulnerability that allows for
> >>> the execution of arbitrary code in smbd"
> >>>
> >>> Does this means arbitrary code executed "as root" ou as the user that
> >>> is authenticaded after smdb drops privilegies?
> >>
> >> Potentially either.  smbd never drops privileges and can always
> >> re-become root.
> >
> > Are you sure about this?
> >
> >      â”œâ”€smbdâ”€â”¬â”€2*[smbd]
> >      â”‚      â”œâ”€smbd(gustavo)
> >      â”‚      â””â”€smbd(asdrubal)
> >
> > From pstree I allways see an smbd process for each user mount.
>
> Yeah.  I'm sure.  :-)  We change to the effective id of the
> user to perform certain operations.  And then changes back
> to root when done (with some optimizations to minimize the
> number of security context switches).

Understood. Thanks for the explanation.

>
> > What I want to know is if the vulnerable call is run as the local user or
> > root.
>
> Potentially either.  Treat this as a potential remote root
> code execution although I've only seen PoC code for clients.

?? Does this vulnerability also affect the samba clients if connecting to an 
infected server? 

Best regards
Gustavo

-- 
Angulo Sólido - Tecnologias de Informação
http://angulosolido.pt