__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                          Samba Security Vulnerability

July 5, 2001 17:00 GMT                                            Number L-105
Revised 9 July 2001
______________________________________________________________________________
PROBLEM:       Security vulnerability in all versions of Samba that allows an 
               attacker to gain root access. 
PLATFORM:      Any operating system running Samba.
DAMAGE:        A remote attacker can use a netbios name containing unix path 
               characters which will then be substituted into the %m macro 
               wherever it occurs in smb.conf. This can be used to cause Samba 
               to create a log file on top of an important system file, which 
               in turn can be used to compromise security on the server. 
SOLUTION:      Change smb.conf configuration file, or update to most recent 
               release of Samba. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The vulnerability can be exploited either 
ASSESSMENT:    locally, or in some cases remotely, that can provide root 
               access. 
______________________________________________________________________________

[******  Start Samba Bulletin ******]

Security Vulnerability

		IMPORTANT: Security bugfix for Samba
		------------------------------------

June 23rd 2001


Summary
-------

A serious security hole has been discovered in all versions of Samba
that allows an attacker to gain root access on the target machine for
certain types of common Samba configuration.

The immediate fix is to edit your smb.conf configuration file and
remove all occurances of the macro "%m". Replacing occurances of %m
with %I is probably the best solution for most sites.

Details
-------

A remote attacker can use a netbios name containing unix path
characters which will then be substituted into the %m macro wherever
it occurs in smb.conf. This can be used to cause Samba to create a log
file on top of an important system file, which in turn can be used to
compromise security on the server.

The most commonly used configuration option that can be vulnerable to
this attack is the "log file" option. The default value for this
option is VARDIR/log.smbd. If the default is used then Samba is not
vulnerable to this attack.

The security hole occurs when a log file option like the following is
used:

  log file = /var/log/samba/%m.log

In that case the attacker can use a locally created symbolic link to
overwrite any file on the system. This requires local access to the
server.

If your Samba configuration has something like the following:

  log file = /var/log/samba/%m

Then the attacker could successfully compromise your server remotely
as no symbolic link is required. This type of configuration is very
rare.

The most commonly used log file configuration containing %m is the
distributed in the sample configuration file that comes with Samba:

  log file = /var/log/samba/log.%m

in that case your machine is not vulnerable to this attack unless you
happen to have a subdirectory in /var/log/samba/ which starts with the
prefix "log."

Credit
------

Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
vulnerability.


New Release
-----------

While we recommend that vulnerable sites immediately change their
smb.conf configuration file to prevent the attack we will also be
making new releases of Samba within the next 24 hours to properly fix
the problem. Please see http://www.samba.org/ for the new releases.

Please report any attacks to the appropriate authority.

	The Samba Team
	security@samba.org

[******  End Samba Bulletin ******]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Samba for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-095: Microsoft SQL Query Method Vulnerability
L-096: Red Hat LPRng Vulnerability
L-097: Cisco 6400 NRP2 telnet Vulnerability
L-098: Microsoft Index Server ISAPI Extension Buffer Overflow
L-099: SGI PCP Pmpost Symlink Vulnerability
L-100: FrontPage Sub-Component Vulnerability
L-101: Microsoft LDAP over SSL Password Vulnerability
L-102: HP OpenView Network Node Manager Security Vulnerability
L-103: Sun ypbind Buffer Overflow Vulnerability
L-104: SuSE Linux, xinetd Buffer Overflow