Note: This is an archival copy of Security Sun Alert 201400 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001072.1.
Article ID : 1001072.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun Cobalt Samba Versions Earlier Than 2.2.8 May Allow Remote Unauthorized Root Privileges

Category
Security

Release Phase
Resolved

Bug Id
4844140, 4833979

Date of Workaround Release
02-MAY-2003

Date of Resolved Release
05-MAY-2004

Impact

Several buffer overflows have been found in Samba(7), at least one of which may allow a remote unprivileged user to execute arbitrary code with the privileges of the Super User (typically root), on Sun Linux and Cobalt legacy products running as a Samba(7) server.

More information describing this issue can be found at: http://www.digitaldefense.net/labs/advisories/DDI-1013.txt

This issue is described in CERT Vulnerability Notes VU#298233 (see http://www.kb.cert.org/vuls/id/298233).


Contributing Factors

This issue can occur in the following releases:

Sun Cobalt

  • Sun Cobalt RaQ4(3001R) and Samba-2.0.6-9C1
  • Sun Cobalt RaQ XTR(3500R) and Samba-2.0.7-4C1
  • Sun Cobalt Qube3(4000WG) and Samba-2.0.7-4C1
  • Sun Cobalt RaQ 550 (4100R) and Samba-2.0.7-4C3 (if turned on manually)
  • Sun Linux 5.0 (LX50) and Samba-2.2.1a-4

Symptoms

There are no predictable symptoms that show this issue has been exploited. Possible symptoms may include: unscheduled reboots, unusual log entries, new users being created on the machine, and machine content being altered.

Due to the nature of the exploit and the lack of logging that Samba provides (or fails to provide in this case), no log entries are generated that can be used to identify that a compromise has occured. Checking the system last log, and /var/log/messages might give some indication of illicit activity, but only after the compromise.

To check the last log, type the command below: 

    # last
user   pts/1      Tue Apr 29 10:08   still logged in
user   pts/1      Tue Apr 29 10:01 - 10:01  (00:00)
...
wtmp begins Tue Apr  1 10:05:38 2003

The system secure messages log can be viewed with the following command: 

    # less /var/log/secure

Finally, look for any events involving security. For example, "su" commands from users who should normally not have root access.


Workaround

To work around the described issue, consider disabling Samba services until a patch is available, then re-enable and restart the server.

To turn off the Samba server: 

    # /etc/rc.d/init.d/smb stop

To disable the Samba server: 

    # chkconfig -level 345 smb off

After the patch has been installed, the Samba server may be re-enabled by running chkconfig(1M) again: 

    # chkconfig -level 345 smb on

After the patch has been installed, the Samba server may be restarted: 

    # /etc/rc.d/init.d/smb start

Additional workaround information can be found in the "Protecting an Unpatched Samba Server" section from the SambaTeam announcement for version 2.2.8 at:

http://www.samba.org/samba/whatsnew/samba-2.2.8.html


Resolution

This issue is addressed in the following release:

Sun Cobalt

  • Sun Cobalt Qube3: Qube3-All-Security-4.0.1-16417.pkg
    Instructions for downloading the above packages can be found in in MyOracleSupport


Modification History
Date: 07-MAY-2003
  • Updated Impact Statement

Date: 05-APR-2004
  • Updated Resolution section for available Resolution package


























Attachments
This solution has no attachment