Note: This is an archival copy of Security Sun Alert 200980 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000738.1.
Article ID : 1000738.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-06-12
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in Samba May Allow Unauthorized Root Privileges

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System

Bug Id
5080288, 6203085

Date of Workaround Release
25-OCT-2004

Date of Resolved Release
06-JAN-2005

Impact

Security vulnerabilities in Samba may result in one or both of the following issues:

1. A buffer overflow may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of Super User (typically root) on a Solaris 9 or Solaris 10 system running as a Samba server.

This issue is referenced in the following document:

2. A security vulnerability may allow a remote unprivileged user the ability to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames.

This issue is referenced in the following document:


Contributing Factors

The first issue described above can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 114684-03
  • Solaris 10 without patch 119757-01

x86 Platform

  • Solaris 9 without patch 114685-03
  • Solaris 10 without patch 119758-01

The second issue described above can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 114684-03

x86 Platform

  • Solaris 9 without patch 114685-03

Note: Solaris 7 and Solaris 8 do not include the Samba software and are not affected by these issues. Sun does include Samba on the Solaris Companion CD for Solaris 8 as an unsupported package which installs to "/opt/sfw" and is vulnerable to this issue. Sites using the freeware version of Samba from the Solaris Companion CD will need to upgrade to a later version from Samba.org.

Issue 1 described above only occurs if all of the following conditions are true:

  • The system is configured as a Samba server
  • The version of Samba installed is 2.2.0 through 2.2.9 or 3.0.0 through 3.0.4
  • The server is configured to use the "hash" mangling method. (This is the default configuration for Samba 2.2.x only)

Issue 2 described above only occurs if all of the following conditions are true:

  • The system is configured as a Samba server.
  • The version of Samba installed is 2.2.0 through 2.2.11 or 3.0.0 through 3.0.2.
  • The server is configured with the "wide links" option set to "yes" for any or all shares (This is the default configuration).

To determine if a system is configured as a Samba server, use the following command to check for the presence of the smb.conf(4) file:

% ls -l /etc/sfw/smb.conf
-rw-r--r--   1 root     other      11665 Sep 28 16:37 /etc/sfw/smb.conf

If the output is similar to that shown above, the system is configured as a Samba server.

To determine the version of Samba installed on a system, the following command can be run:

% /usr/sfw/sbin/smbd -V
Version 2.2.8a

To determine if the server is configured to use the "hash" mangling method, the following command can be run:

% grep 'mangling method' /etc/sfw/smb.conf

If the output is either of the following, then the system is vulnerable:

  1. "mangling method = hash"
  2. There is no output AND the Samba version is 2.2.x

Note: For Samba 2.2.x the default is "mangling method = hash". If this has not been changed, there will be no entry in the "/etc/sfw/smb.conf" file for "mangling method".

To determine if the server is configured with the "wide links" option set to "yes", the following command can be run:

% grep 'wide links' /etc/sfw/smb.conf

If the output is either of the following, then the system is vulnerable:

  1. There is no output.
  2. "wide links = yes"

Note: For all versions of Samba the default is "wide links = yes". If this has not been changed, there will be no entry in the "/etc/sfw/smb.conf" file for "wide links".


Symptoms

There are no predictable symptoms that would indicate the described issues has been exploited.


Workaround

For Issue 1 described above:

Servers which are configured to use the "hash2" mangling method are unaffected by this issue. As a result, this issue can be avoided by modifying or adding the following "mangling method" line to smb.conf(4): 

    mangling method = hash2

For Issue 2 described above:

Samba shares which are configured with the "wide links" option set to "no" are unaffected by this issue. As a result, this issue can be avoided by modifying or adding the following line to smb.conf(4) (note that all instances of this line in smb.conf(4) must be modified if they exist): 

    wide links = no

Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 114684-03 or later
  • Solaris 10 with patch 119757-01 or later

x86 Platform

  • Solaris 9 with patch 114685-03 or later
  • Solaris 10 with patch 119758-01 or later


Modification History
Date: 06-JAN-2005

Change History

  • State: Resolved
  • Added BugID
  • Updated Contributing Factors and Resolution sections

Date: 10-JAN-2005
  • Updated Contributing Factors and Relief/Workaround sections

Date: 13-JUN-2005
  • Updated Product field
  • Updated Contributing Factors and Resolution sections


References

114684-03
114685-03
119757-01
114684-03




Attachments
This solution has no attachment