-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
For the record, Shaun Colley first email <security@samba.org> on "Thu, 18 Mar 2004 20:21:48 +0000 (GMT)". The set of core Samba developers were given no prior notice that the potential bug would be published on BUGtraq. Nor we were notified when the announcement was sent.
Samba developers were in the process of completing their analysis when this occurred.
Now onto the response....
Product: Samba 'smbprint' script. http://www.samba.org
Versions: All versions, but manifesting in different ways.
Please be aware that Shaun's report applies to the smbprint-new.sh script included in the examples/ directory of the Samba 3.0.2a distribution. No other version of smbprint included in the packaging/ directory possess this flaw.
The Samba Team has no control over what individual package maintainers or distributors include in their packages. As Shaun has pointed out the version of samba packaged by with Mandrake 9.0 may be vulnerable to such a symlink attack as described here. This fact has not been confirmed by Samba developers.
Bug: Symlink bug / tmpfile bug....
I have located a bug in older versions of the smbprint script, and also a less likely one in the new version (packaged with 3.0.2a and maybe earlier). These
My comments apply to both the Samba 2.2.8a release as well as the current 3.0.x series.
The script in question is included in the current 3.0.2a release in samba-3.0.2a/examples/printing/smbprint-new.sh. Source code, utilities, and documentation included in the examples/ portion of the Samba source tree are contributed by the Samba community as possibilities of how a given task may be achieved.
They are *examples* only and not to be considered part of the core Samba client or server product.
Therefore, while the possibility of the symlink attack that Shaun describes is real, it should be stressed that
(a) smbprint-new.sh is an example script only. Users
or administrators may do whatever they see fit.
(b) the default behavior of the script is to log debug
output to /dev/null and is therefore not vulnerable
to the symlink attack.
(c) the administrator must have enabled the debug option
in the matching .config file as well not overriding
the default debugfile setting.Details ########
1) Older versions of smbprint - tmpfile vulnerability. --
Without know which specific packages or versions that to which Shaun is referring, it is impossible to address this statement. See the above statement regarding the 2.2.8a release and the 3.0.x series.
--- /usr/bin/smbprint --- [...] logfile=/tmp/smb-print.log
This is not the default option in the versions of the smbprint script that I have been able to locate. The line in question has been commented out in the version of smbprint that are included in the packaging/ directory of the Samba source tree.
2) Newest version of smbprint - tmpfile vulnerability ....Here is a sample config file on a system which is vulnerable:
--- .config --- user="username" server=server service=printer password="" debug=yes --- EOF ---
This is the smbprint-new.sh script contained in examples/printing/. The debug option is not required, and as stated previously, not enabled by default.
Solution #########
I've tried to provide workarounds. Maybe bug 2) will be fixed in the next stable release of Samba.
In summary, the Samba Team is labeling this as a bug and not a security hole due to the fact that it is only an example. We will however, ensure that the bug is fixed before the next official release (i.e. Samba 3.0.3).
cheers, jerry Samba Release Manager - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAW+CEIR7qMdg1EfYRAr+KAJ9v7vXV2DQh0IZgl3EsRH6/XAMu+wCg0aXe WtdPvh+A98loLYSAAkTZ254= =hTfA -----END PGP SIGNATURE-----
