lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0402091456350.6807@fuzzy.slackware.com>
Date: Mon, 9 Feb 2004 15:07:38 -0800 (PST)
From: "Patrick J. Volkerding" <security@...ckware.com>
To: Seth Arnold <sarnold@...ex.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Samba 3.x + kernel 2.6.x local root vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Mon, 9 Feb 2004, Seth Arnold wrote:
> On Mon, Feb 09, 2004 at 10:23:03PM +0100, Michal Medvecky wrote:
> > Confirmed to work on all 2.6.x kernels, not confirmed on 2.4.x.
>
> I haven't got a clue what you're trying to accomplish. If you don't want
> a setuid execute, DON'T RUN chmod +s! You don't even need samba to
> accomplish this:

Note that two machines are involved here, the server (sharing the setuid
binary), and the client (the victim, which mounts the share and runs the
binary;  the attacker must have a local account here).

The problem stems from the setuid root smbmnt.  When you install Samba
from source, /usr/bin/smbmnt is not setuid root by default, but several
Linux distributions seem to ship it this way (Slackware does not).  With
smbmnt setuid root, any user with a local account can gain root if they
can set up a Samba server that can be mounted from the victim machine.

At the least, if you're going to run smbmnt setuid root, you should make
an smbmnt group and only allow group members to execute it.  The members
of the group could still exploit this hole, but not other users.

Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAKBK+akRjwEAQIjMRAhl3AJ9xL0tWhZuP7poPVhY1tQ4SmKTi4ACfetQm
g8ktzk0I4h4q2AyJs67sESY=
=49Nk
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ