This was on the samba general list this morning and is probably worth
reposting:
----------------------
> Some time ago one of my customer's computers was compromised by outside
> attackers, and though we were able to clean it up I never learned how.
> A few weeks back, my own office machine was hacked and the signs were
> similar; but this time I found an exploit program named "kulak" in my
> /tmp directory.
>
> Evidently (according to the source, which the attacker left behind also)
> kulak exploits a buffer overflow in Samba 2.2.8 to get a root shell. I
> searched Google to no avail for this exploit; so I am asking here. Is
> this bug fixed in later versions? Has anyone even heard of this?
Fixed in 2.2.8a.
----------------------
I read about this hole a few months ago, saw the patch come out quickly,
but wasn't too motivated to upgrade my production server as the rumor was
that the hole was theoretical and had not yet been exploited.
So now I have a fresh motivation to upgrade to Samba-2.2.8.a. I'm fairly
certain the patch is back-ported to samba-2.2.5-78 if you have SLES-8 and a
support contract with SuSE. Otherwise it's rebuild from source, or roll
your own RPM.
-Mike MacIsaac, IBM mikemac at us.ibm.com (845) 433-7061
