Forgot your password?
typodupeerror
Security Networking Operating Systems Software Windows

Samba Hit By 'Highly Critical' Vulnerability 70

Posted by timothy
from the because-people-are-bad dept.
sawky puck writes "Researchers at Secunia have flagged a 'highly critical' vulnerability in Samba, the widely deployed open-source software for networked file sharing and printing. Successful exploitation allows execution of arbitrary code by tricking a user into connecting to a malicious server (e.g. by clicking an 'smb://' link) or by sending specially crafted packets to an 'nmbd' server configured as a local or domain master browser. This issue affects both Samba client and server installations."
This discussion has been archived. No new comments can be posted.

Samba Hit By 'Highly Critical' Vulnerability

Comments Filter:
  • CVE-2008-1105 (Score:5, Informative)

    by xmas2003 (739875) * on Thursday May 29, 2008 @02:37PM (#23590785) Homepage
    Here's the assigned Common Vulnerabilities and Exposures [samba.org] - "Boundary failure when parsing SMB responses can result in a buffer overrun"
  • Oh jeez (Score:5, Funny)

    by blackjackshellac (849713) on Thursday May 29, 2008 @02:42PM (#23590861)
    I guess I better take all of my samba servers off the internet!

    <snark/>

  • Because there's nothing about Samba in 2008-003.
  • Already Patched (Score:5, Informative)

    by Gazzonyx (982402) on Thursday May 29, 2008 @02:46PM (#23590935)
    Check the samba lists. It's already been fixed and the Debian team should be sending a patched version of samba to their repos for downstream distros either last night or some time today. It's already been rolled in to 3.0.30, IIRC.
    • Re: (Score:3, Funny)

      It's already been fixed and the Debian team should be sending a patched version of samba to their repos for downstream distros either last night or some time today.
      Yeah, but how long before someone fixes that patch? 2 years?
    • by shamer (897211)
      Gentoo is patched as well.

      net-fs/samba-3.0.28a-r1
  • I sure know I have a highly critical vulnerability to a pretty Brazillian lady doing the Samba, eh gents?
    • Re: (Score:1, Offtopic)

      by kellyb9 (954229)

      I sure know I have a highly critical vulnerability to a pretty Brazillian lady doing the Samba, eh gents?
      I know you can mod something funny, but is there any way to mod something !Funny?
      • by Applekid (993327)

        I sure know I have a highly critical vulnerability to a pretty Brazillian lady doing the Samba, eh gents?

        I know you can mod something funny, but is there any way to mod something !Funny?

        Offtopic seems to be the mod of choice in this case. I always thought nerds like me loved puns. Maybe only good puns, though.

        Other unused one-liners:
        "When I do the Samba I'm pretty vulnerable to kicks to the knees"
        "Samba has always been vulnerable... to arthritis"
        "This vulnerability is easily fixed by switching the audio back to a simple 2/4 beat."

      • I use judicious quantities of "Overrated".

        It's my most favorite-est mod ever.
  • buffer overrun .. (Score:3, Interesting)

    by rs232 (849320) on Thursday May 29, 2008 @03:02PM (#23591175)
    "Boundary failure when parsing SMB responses can result in a buffer overrun [samba.org]"

    Does this apply to a particular CPU/MMU compiler combination or is it generic across all systems? Is it technically possible to design a system that is immune to buffer overruns or, by default, fails safe, as in not allowing any old code to walk all over the address space.
    • Re:buffer overrun .. (Score:5, Informative)

      by kvezach (1199717) on Thursday May 29, 2008 @03:16PM (#23591381)
      Not in general. Straightforward "execute what you want" buffer overruns can be thwarted by using no-execute; however, this doesn't stop the overrun from overwriting data so that the right functions will have the wrong input and thus do what the exploit writer wants. So-called return-to-libc attacks (where the exploit writer rearranges the stack so that it calls prexisting functions with interesting parameters) can be made very hard to pull off with address space randomization, but that doesn't help on architectures with 32-bit or lesser size pointers.

      Radical virtualization might mitigate the effects so that the bugs are irrelevant (as would a capabilities based system where, even if you do smash the stack, there's nothing interesting you can do with the privileges gained), but that's not stopping the buffer overruns themselves, just making them moot.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Possible? Yes. Possible without sacrificing all hopes of decent performance? Not as far as we know.

      For example, you could use your 64-bit address space and put /every single object ever/ in its own page, at 0xXXXXXXXX00000000. Trap pages all around. That ought to do the trick, but now your TLB's shot, and your ints are 4kb large.
    • by kestasjk (933987) on Thursday May 29, 2008 @03:55PM (#23592011) Homepage

      Is it technically possible to design a system that is immune to buffer overruns or, by default, fails safe, as in not allowing any old code to walk all over the address space.
      Microsoft labs are working on a solution that'll work like this: "The program you are using wants to write 0x0a83d9ed to the stack at address 0x912dfe31. Confirm or Deny?"
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Is it technically possible to design a system that is immune to buffer overruns or, by default, fails safe, as in not allowing any old code to walk all over the address space.
      Yes. It's called "OpenBSD".
    • Re: (Score:3, Interesting)

      by owlstead (636356)
      "Does this apply to a particular CPU/MMU compiler combination or is it generic across all systems? Is it technically possible to design a system that is immune to buffer overruns or, by default, fails safe, as in not allowing any old code to walk all over the address space."

      Yes, it's called managed code (Java/.NET) and yes, you can even design hardware that runs byte code. It will slightly hamper performance, but it has its advantages. Of course, the way it is currently done is to implement the JVM in softw
      • "Yes, it's called managed code (Java/.NET)"

        Another software solution, which also begs the question, what protects the 'managed code' bits from getting buffer overruns and wouldn't it be simpler to do it in the hardware? Of course the 'managed code' bits are only good in so far as they manage to detect malware all the time. Wouldn't it be simpler to make the kernel immune to these type of bugs as in the SAFECode project. That way when a process fails on garbage collection hooks, exception handling, type s [msdn.com]
    • by ultranova (717540)

      Is it technically possible to design a system that is immune to buffer overruns or, by default, fails safe, as in not allowing any old code to walk all over the address space.

      Yes: Java, for example, assuming that the JVM itself doesn't have any bugs. Let the flamefest begin.

      Please note, however, that any sufficiently complex protocol can be considered a programming language in itself, and the program using it a virtual machine; and it is impossible to guarantee that the interpreter can't be put into a

    • by jonadab (583620)
      > Is it technically possible to design a system that is immune to buffer overruns or, by
      > default, fails safe, as in not allowing any old code to walk all over the address space.

      I don't know about "immune" in the absolute sense, but there are certainly things you can do. Writing everything (_everything_, including low-level system libraries) in a very-high-level language that dynamically resizes/reallocates buffers as necessary (e.g., integers automatically promote to bigints if they overflow, writin
  • by Danny Rathjens (8471) <slashdot2@@@rathjens...org> on Thursday May 29, 2008 @03:27PM (#23591603)
    Every network I've been on and even some of my current company's ISPs have a policy of blocking all traffic to ports 137 and 139.
    Those types of filters prevent anyone following a smb:// link outside their network.

    I think this is from way back in the day when remote MS Windows SMB/NMB exploits were a dime a dozen and/or network admins wanted to make sure files weren't being shared to the world.
    • Actually, I'm not on a corporate network and I block every port except the few I really use. That should be the golden standard. At my current client, I just said, "Hey I need port 22 open please". I got it withing 2 minutes and you do know what that means, don't you?

      I am frankly more paranoid on my personal network that any network I've been on professionally.
  • CIFS (Score:1, Offtopic)

    by FunkyELF (609131)
    I noticed recently that Samba was deprecated in the kernel and that you're supposed to use CIFS. But this is for mounting...what about the servers. Is there a CIFS server for Linux...I know there is one for Solaris.
  • by FranTaylor (164577) on Thursday May 29, 2008 @03:37PM (#23591753)
    "Arbitrary" code will see lots of 'permission denied' errors as it tries to do evil.
    • by pembo13 (770295)
      Except for those admins too lazy to make sure SELinux us working.
      • or PAX lets not forget about poor little pax.
      • by timbo234 (833667)
        Except for those admins too lazy to make sure SELinux us working.

        Should read "except for anyone who's deliberately hacked their samba configuration to run as root". Considering there's no need to do this, and all distros package samba to create and run as it's own unprivileged uid, this will be pretty much nobody. And anyone who has done that has only themselves to blame.
        • by timbo234 (833667)
          Oh shit, sorry didn't check before I posted. Seems samba does actually run as root. Anyone know why this is?
          • by Dog-Cow (21281)
            When you connect as a Unix user, samba will spawn a process that runs as that user. The root process still needs to run as root to be able to do this. All daemons which must assume other EUIDs work this way.

            Samba will spawn a process that runs as a configured (by default: nobody) user when the connecting user isn't a local (or NIS, ldap, etc) account. Again, it needs to start off as root in order to do this.
    • by ultranova (717540)

      "Arbitrary" code will see lots of 'permission denied' errors as it tries to do evil.

      Unless, of course, someone was so careless as to let a server who's purpose is to grant remote access to the filesystem actually access the filesystem it is supposed to grant access to :).

      There is no way to detect the difference between an evil program overwriting an important file with random garbage and a saintly user editing that same file to contain extremely relevant data. Consequently, SELinux doesn't help at all

  • ... drove me to switch from Redhat 4 to Debian while cleaning up from a remote root compromise. Granted, it was pretty entertaining discovering the rootkit and tracing it back through a few other compromised servers.

    Anyway, hoping I won't be driven from Debian to, uh, Gentoo or something.

  • All I can say is that the Samba team is going to have to roll in more vulnerabilities than this if they want to really mimic Microsoft. C'mon guys, are you even trying?

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...