Samba 3.0.23d - 3.0.25pre2: Local SID/Name Translation Failure Can Result in User Privilege Elevation

2007.05.17
Risk: High
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ========================================================== == == Subject: Local SID/Name translation bug can result == in user privilege elevation == CVE ID#: CVE-2007-2444 == == Versions: Samba 3.0.23d - 3.0.25pre2 (inclusive) == == Summary: A bug in the local SID/Name translation == routines may potentially result in a user == being able to issue SMB/CIFS protocol == operations as root. == ========================================================== =========== Description =========== When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server. ================== Patch Availability ================== A patch against Samba 3.0.23d/3.0.24 has posted at http://www.samba.org/samba/security/ ========== Workaround ========== There is no immediate workaround for this defect that does not involve changing the server code in the smbd daemon. The Samba Team always encourages users to run the latest stable release as a defense against attacks. If this is not immediately possible, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html ======= Credits ======= This vulnerability was reported to Samba developers by Paul Griffith <paulg (at) cse.yorku (dot) ca [email concealed]> and Andrew Hogue. Much thanks to Paul and Andrew for their cooperation and patience in the announcement of this defect. Thanks also to Samba developers James Peach and Jeremy Allison for the analysis and resolution of this issue. The time line is as follows: * March 20, 2007: Defect first reported to the security (at) samba (dot) org [email concealed] email alias. * March 30, 2007: Initial developer response by Gerald Carter. * April 4, 2007: Patch released to bug reporter for testing. * April 9, 2007: Fixed confirmed by original reporter. * May 3, 2007: Announcement to vendor-sec mailing list * May 14, 2007: Public announcement of the security issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGR5W7IR7qMdg1EfYRAsv9AJ9KfUWTcyiDhLEDeIKJFGXaAWvk1gCff+0j FFgPmJhGBosBPSadj+bPpgw= =ruFz -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top