tlug: Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux (fwd)

[Scott Stone <sstone@example.com>]

now, I've told Andrew about this already, but the TL updates are available
at ftp.pht.com:/pub/turbolinux-3.0comdex/TurboLinux/RPMS.  Just getting
our new 2.0.0 samba package should fix it.

--------------------------------------------------
Scott M. Stone <sstone@example.com, sstone@example.com>
Head of TurboLinux Development/Systems Administrator
Pacific HiTech, Inc (USA) / Pacific HiTech, KK (Japan)


---------- Forwarded message ----------
Date: Thu, 19 Nov 1998 18:20:18 +1100
From: Andrew Tridgell <tridge@example.com>
To: BUGTRAQ@example.com
Subject: Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux

-----BEGIN PGP SIGNED MESSAGE-----

The Samba team has discovered two security vulnerabilities in the
samba-1.9.18 RPMs as distributed by RedHat, Caldera and TurboLinux.
As far as we know no other distributions of Samba are affected.

summary:
========

The first problem is the installation permissions of the wsmbconf
binary. The RPM installs wsmbconf as a setgid binary owned by group
root and executable by all users.

The wsmbconf program was a prototype application and was never meant to
make its way into a Samba release. It was not designed to be setgid
and is vulnerable to attack by local users when installed setgid.

The second problem is that the spec file creates a world writeable
spool area /var/spool/samba but does not set the t bit. The t bit
should be set on Samba spool directories.

impact:
=======

1) non-privileged users can use wsmbconf to gain read/write access to
any file which is accessible to the root group.

2) non-privileged users can alter the content of documents being
printed by other users. If an interpreter such as ghostscript is used
to process print files then the insertion of exploit code into print
files may allow an attacker to exploit vulnerabilities in the
interpreter to gain access to files owned by users submitting print
jobs.

vulnerable systems:
===================

The wsmbconf vulnerability is known to affect the binary versions of
Samba-1.9.18 distributed with RedHat Linux, Caldera OpenLinux and PHT
TurboLinux.

The /var/spool/samba vulnerability is known to affect all binary
versions of Samba distributed with RedHat from version 4.0 up to
5.2. It is believed to also affect a wide range of Caldera and
TurboLinux versions but specifics are not available at this time.

Systems on which Samba has been built from the distributed source code
(the .tar.gz files) are not vulnerable. Both vulnerabilities are
present only in the packaging files used for particular binary
distributions.

You can tell if your system is vulnerable by looking for a file called
/usr/sbin/wsmbconf. If you have that file then you have a vulnerable
installation.

workaround:
===========

1) All systems on which /usr/sbin/wsmbconf is installed should
immediately remove that file:

            rm -f /usr/sbin/wsmbconf

removing that file will not in any way adversely affect your Samba
installation as the file is not actually part of Samba 1.9.18. It
was included in the distribution inadvertently.

2) All systems which have a /var/spool/samba directory should ensure
that the t bit is set on that directory:

    chmod +t /var/spool/samba

fix:
====

1) The cause of the first problem is the following line in the spec
file used to compile Samba 1.9.18p10 on RedHat and Caldera systems:

   %attr(2755,root,root) /usr/sbin/wsmbconf

The 2755 permissions are incorrect. The correct action is to remove
wsmbconf completely from the spec file.


2) The cause of the second problem is the following line in the spec
file used to compile Samba 1.9.18p10 on RedHat and Caldera systems:

   %attr(777,root,root) %dir /var/spool/samba

the line should be changed to read:

   %attr(1777,root,root) %dir /var/spool/samba


updated packages:
================

RedHat and Caldera have released new RPMs on their ftp sites. We expect
PHT to release new RPMs shortly.

The URLs I have been given are:

Caldera
        ftp.caldera.com:/pub/OpenLinux/updates/1.3/007

Redhat
        Red Hat Linux 4.2
            alpha ftp://updates.redhat.com/4.2/alpha/samba-1.9.18p10-0.alpha.rpm
            i386  ftp://updates.redhat.com/4.2/i386/samba-1.9.18p10-0.i386.rpm
            sparc ftp://updates.redhat.com/4.2/sparc/samba-1.9.18p10-0.sparc.rpm
        Red Hat Linux 5.0, 5.1 and 5.2:
            alpha ftp://updates.redhat.com/5.2/alpha/samba-1.9.18p10-5.alpha.rpm
            i386  ftp://updates.redhat.com/5.2/i386/samba-1.9.18p10-5.i386.rpm
            sparc ftp://updates.redhat.com/5.2/sparc/samba-1.9.18p10-5.sparc.rpm

additional:
===========

wsmbconf was included inadvertently in the RedHat spec file as
distributed in Samba 1.9.18 by a Samba Team member. RedHat, Caldera
and PHT are not responsible for this vulnerability, even though only
those systems are affected. The Samba Team apologises to RedHat,
Caldera and PHT users for these mistakes.

These vulnerabilities were discovered during routine inspection of the
spec files. We are not aware of anyone actively exploiting these
vulnerabilities, although exploits are certainly possible.

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBNlPFP2NSlURsK/StAQFKRAQAisDAtHMR2hUtiep0YyLTDCAkEC6DzL0b
kz3dgjagx8lo0Qqry6tb3+b5abF+/PNqHlndI2qEOVVamz77IGC9WVhtZIPnCzes
z0sZSnMZ5IxJJTa1BY3L0uAE2+Pgmz3ncsedrh1uDSzPIVph2FT89sqDvNOJpow4
6lQeXHQ7JN8=
=tAPq
-----END PGP SIGNATURE-----

----------------------------------------------------------------
Next Nomikai: 20 November, 19:30   Tengu TokyoEkiMae 03-3275-3691
Next Technical Meeting: 12 December, 12:30 HSBC Securities Office
----------------------------------------------------------------
more info: http://tlug.linux.or.jp Sponsors: PHT, HSBC Securities