<<< Date Index >>>     <<< Thread Index >>>

Re: Samba 'smbprint' script tmpfile vulnerability.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the record, Shaun Colley first email <security@xxxxxxxxx>
on "Thu, 18 Mar 2004 20:21:48 +0000 (GMT)".  The set of core
Samba developers were given no prior notice that the potential
bug would be published on BUGtraq.  Nor we were notified when
the announcement was sent.

Samba developers were in the process of completing their analysis
when this occurred.

Now onto the response....


Product:      Samba 'smbprint' script.
              http://www.samba.org

Versions: All versions, but manifesting in different ways.

Please be aware that Shaun's report applies to the
smbprint-new.sh script included in the examples/ directory
of the Samba 3.0.2a distribution.  No other version of
smbprint included in the packaging/ directory possess
this flaw.

The Samba Team has no control over what individual package
maintainers or distributors include in their packages.  As
Shaun has pointed out the version of samba packaged by with
Mandrake 9.0 may be vulnerable to such a symlink attack as
described here.  This fact has not been confirmed by Samba
developers.

Bug:          Symlink bug / tmpfile bug.
...
I have located a bug in older versions of the smbprint
script, and also a less likely one in the new version
(packaged with 3.0.2a and maybe earlier).  These

My comments apply to both the Samba 2.2.8a release
as well as the current 3.0.x series.

The script in question is included in the current 3.0.2a
release in samba-3.0.2a/examples/printing/smbprint-new.sh.
Source code, utilities, and documentation included in the
examples/ portion of the Samba source tree are contributed
by the Samba community as possibilities of how a given task
may be achieved.

They are *examples* only and not to be considered part of
the core Samba client or server product.

Therefore, while the possibility of the symlink attack that
Shaun describes is real, it should be stressed that

  (a) smbprint-new.sh is an example script only.  Users
      or administrators may do whatever they see fit.
  (b) the default behavior of the script is to log debug
      output to /dev/null and is therefore not vulnerable
      to the symlink attack.
  (c) the administrator must have enabled the debug option
      in the matching .config file as well not overriding
      the default debugfile setting.


Details
########

1) Older versions of smbprint - tmpfile vulnerability.
--

Without know which specific packages or versions that
to which Shaun is referring, it is impossible to address
this statement.  See the above statement regarding
the 2.2.8a release and the 3.0.x series.

--- /usr/bin/smbprint ---
[...]
logfile=/tmp/smb-print.log

This is not the default option in the versions of the
smbprint script that I have been able to locate.  The line
in question has been commented out in the version of
smbprint that are included in the packaging/ directory
of the Samba source tree.

2) Newest version of smbprint - tmpfile vulnerability
....Here is a sample config file on
a system which is vulnerable:

--- .config ---
user="username"
server=server
service=printer
password=""
debug=yes
--- EOF ---

This is the smbprint-new.sh script contained in examples/printing/.
The debug option is not required, and as stated previously,
not enabled by default.

Solution
#########

I've tried to provide workarounds.  Maybe bug 2) will
be fixed in the next stable release of Samba.

In summary, the Samba Team is labeling this as a bug and not
a security hole due to the fact that it is only an example.  We
will however, ensure that the bug is fixed before the next
official release (i.e. Samba 3.0.3).







cheers, jerry
Samba Release Manager
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAW+CEIR7qMdg1EfYRAr+KAJ9v7vXV2DQh0IZgl3EsRH6/XAMu+wCg0aXe
WtdPvh+A98loLYSAAkTZ254=
=hTfA
-----END PGP SIGNATURE-----