lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45C7306E.4000607@samba.org>
Date: Mon, 05 Feb 2007 07:26:06 -0600
From: "Gerald (Jerry) Carter" <jerry@...ba.org>
To: bugtraq@...urityfocus.com
Cc: security@...ba.org
Subject: [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS
 plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:     Format string bug in afsacl.so VFS plugin.
== CVE ID#:     CVE-2007-0454
==
== Versions:    The AFS ACL mapping VFS plugin distributed
==		in Samba 3.0.6 - 3.0.23d (inclusive)
==
== Summary:     The name of a file on the server's share
==		is used as the format string when setting
==		an NT security descriptor through the
==		afsacl.so VFS plugin.
==
==========================================================

===========
Description
===========

NOTE: This security advisory only impacts Samba servers
that share AFS file systems to CIFS clients and which have
been explicitly instructed in smb.conf to load the afsacl.so
VFS module.

The source defect results in the name of a file stored on
disk being used as the format string in a call to snprintf().
This bug becomes exploitable only when a user is able
to write to a share which utilizes Samba's afsacl.so library
for setting Windows NT access control lists on files residing
on an AFS file system.


==================
Patch Availability
==================

A patch against Samba 3.0.23d has been attached to this
email.  This fix has be incorporated into the Samba 3.0.24
release.  Patches are also available from at the Samba Security
page (http://www.samba.org/samba/security).


==========
Workaround
==========

An unpatched server may be protected by removing all
references to the afsacl.so VFS module from shares in
smb.conf.


=======
Credits
=======

This vulnerability was reported (including a proposed patch)
to Samba developers by <zybadawg333@...hmail.com>.  Much thanks
to zybadawg333 for the cooperation and patience in the
announcement of this defect.  The time line is as follows:

* Jan 8, 2007: Defect first reported to the security@...ba.org
  email alias.
* Jan 8, 2007: Initial developer response by Jeremy Allison
  confirming the issue.
* Jan 29, 2007: Announcement to vendor-sec mailing list
* Feb 5, 2007: Public issue of security advisory.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFxzBuIR7qMdg1EfYRAo60AJ0XPkH0pkfsmxIAVF1HxgqFl3qyXQCgzAg/
VdQre1squwORUgRaNA2F3rU=
=93rK
-----END PGP SIGNATURE-----

View attachment "afsacl.patch" of type "text/plain" (482 bytes)

View attachment "afsacl.patch.asc" of type "text/plain" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ