[Samba] CVE-2008-4250?

Leslie León leslie.leon at azumathb.azcuba.cu
Mon Jun 18 19:26:26 UTC 2018


Thanks for the info.


Best regards :D
> The implementation of the test in Nessus is incorrect.
>
> Here are the two (yes, for silly reasons) implementations in Samba:
>
> WERROR _srvsvc_NetPathCompare(struct pipes_struct *p,
> 			      struct srvsvc_NetPathCompare *r)
> {
> 	p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
> 	return WERR_NOT_SUPPORTED;
> }
>
> /*
>    srvsvc_NetPathCompare
> */
> static WERROR dcesrv_srvsvc_NetPathCompare(struct dcesrv_call_state
> *dce_call, TALLOC_CTX *mem_ctx,
> 		       struct srvsvc_NetPathCompare *r)
> {
> 	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
> }
>
> As you can see from
> https://svn.nmap.org/nmap/scripts/smb-vuln-ms08-067.nse
>
> Any fault code is assumed to mean a vulnerable server, the RNG_ERROR
> (yet another way to say not implemented) included.
>
> Hopefully this is enough to assist you, if you need to assuage an
> auditor then I suggest submitting a patch implementing it.
>
> This won't be hard, the clue is in the implementation note:
> https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_116
>
> <116>
> Section 3.1.4.31: The server does a standard C string comparison on the
> canonicalized path names and returns the result.
>
> <117>
> Section 3.1.4.31: No security restrictions are imposed by Windows-based
> server implementations on the caller.
>
> I hope this helps,
>
> Andrew Bartlett

-- 
/************************************************
* Téc. Leslie León Sinclair
* Administrador de Redes - AzumatHB
* Another happy Slackware & Debian GNU/Linux user
* Blog: https://admlinux.cubava.cu
* Proud GNU/Linux User #445535
* ☎ +49-170-7683042
*************************************************/




More information about the samba mailing list