I havnt read my mail for a while... this is about 2 weeks old....
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Reality is a cop-out for people who can't handle drugs.
Generated by /usr/games/fortune
Jamie Chamoulos
Internet.Now!
[EMAIL PROTECTED]
http://www.efn.org/~jamie
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
---------- Forwarded message ----------
Date: Mon, 25 Jun 2001 14:44:58 -0700
From: Gene
To:
Subject: FW: samba security hole
FYI... G
-----Original Message-----
From: Tom
Sent: Monday, June 25, 2001 2:42 PM
To: Multiple recipients of list SYSADMIN
Subject: samba security hole
FYI
------- Forwarded Message
From: Andrew
To: [EMAIL PROTECTED]
Subject: URGENT: Samba security hole
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IMPORTANT: Security bugfix for Samba
------------------------------------
June 23rd 2001
Summary
- - -------
A serious security hole has been discovered in all versions of Samba that
allows an attacker to gain root access on the target machine for certain
types of common Samba configuration.
The immediate fix is to edit your smb.conf configuration file and remove all
occurances of the macro "%m". Replacing occurances of %m with %I is probably
the best solution for most sites.
Details
- - -------
A remote attacker can use a netbios name containing unix path characters
which will then be substituted into the %m macro wherever it occurs in
smb.conf. This can be used to cause Samba to create a log file on top of an
important system file, which in turn can be used to compromise security on
the server.
The most commonly used configuration option that can be vulnerable to this
attack is the "log file" option. The default value for this option is
VARDIR/log.smbd. If the default is used then Samba is not vulnerable to this
attack.
The security hole occurs when a log file option like the following is used:
log file = /var/log/samba/%m.log
In that case the attacker can use a locally created symbolic link to
overwrite any file on the system. This requires local access to the server.
If your Samba configuration has something like the following:
log file = /var/log/samba/%m
Then the attacker could successfully compromise your server remotely as no
symbolic link is required. This type of configuration is very rare.
The most commonly used log file configuration containing %m is the one
distributed in the sample configuration file that comes with Samba:
log file = /var/log/samba/log.%m
in that case your machine is not vulnerable to this attack unless you happen
to have a subdirectory in /var/log/samba/ which starts with the prefix
"log."
New Release
- - -----------
While we recommend that vulnerable sites immediately change their smb.conf
configuration file to prevent the attack we will also be making new releases
of Samba within the next 24 hours to properly fix the problem. Please see
http://www.samba.org/ for the new releases.
Please report any attacks to the appropriate authority.
The Samba Team
[EMAIL PROTECTED]
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard
<http://www.gnupg.org/>
iD8DBQE7M+Gobf9zMVhTZ5ERAoVvAJ9CX93rSHbEyPD95mS3C5XaQXx5RgCfeOIx
bKPS2xD1L8C0mlr6y5i8uBo=
=M/K7
- -----END PGP SIGNATURE-----
------- End of Forwarded Message
[EUG-LUG:1543] FW: samba security hole (fwd)
Jamie Chamoulos -- Internet.Now! Wed, 11 Jul 2001 09:45:34 -0700
