|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#268336
Samba command injection vulnerability
OverviewSamba fails to properly filter input to /bin/sh. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code on a Samba server.
I. DescriptionSamba provides file and print services for Microsoft Windows, Unix, Linux, and OS X clients. Samba can also act as a Primary Domain Controller (PDC) or as a Domain Member. Samba runs on most Unix-like systems.
Samba versions prior to 3.0.24 pass unchecked user input from RPC messages to /bin/sh when calling externals scripts that are listed in the Samba configuration file. An attacker may be able to exploit this vulnerability by sending specially crafted RPC messages to a vulnerable server.
This vulnerability occurred as a result of failing to comply with recommndation STR02-C of the CERT C Programming Language Secure Coding Standard.
II. ImpactA remote, unauthenticated attacker may be able to execute arbitrary commands.
III. SolutionApply a patch or upgrade
These vulnerabilities are addressed in Samba version 3.0.25. In addition, patches are available to address this vulnerability in Samba version 3.0.24. Refer to the Samba Security Releases website for more information.
Do not load external shell scripts
From the CVE-2007-2447 entry on the Samba security page:
This defect may be alleviated by removing all defined external script invocations (username map script, add printer command, etc...) from smb.conf.
Restrict access
Limiting access to the Samba server to trusted hosts may mitigate this vulnerability.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| Apple Computer, Inc. | Vulnerable | 30-Jul-2007 |
| Conectiva Inc. | Unknown | 14-May-2007 |
| Cray Inc. | Unknown | 14-May-2007 |
| Debian GNU/Linux | Vulnerable | 30-Jul-2007 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 14-May-2007 |
| Engarde Secure Linux | Unknown | 14-May-2007 |
| F5 Networks, Inc. | Unknown | 14-May-2007 |
| Fedora Project | Unknown | 14-May-2007 |
| FreeBSD, Inc. | Unknown | 14-May-2007 |
| Fujitsu | Unknown | 14-May-2007 |
| Gentoo Linux | Vulnerable | 16-May-2007 |
| Hewlett-Packard Company | Unknown | 14-May-2007 |
| Hitachi | Unknown | 14-May-2007 |
| IBM Corporation | Unknown | 14-May-2007 |
| IBM Corporation (zseries) | Unknown | 14-May-2007 |
| IBM eServer | Unknown | 14-May-2007 |
| Immunix Communications, Inc. | Unknown | 14-May-2007 |
| Ingrian Networks, Inc. | Unknown | 14-May-2007 |
| Juniper Networks, Inc. | Unknown | 14-May-2007 |
| Mandriva, Inc. | Unknown | 14-May-2007 |
| Microsoft Corporation | Unknown | 14-May-2007 |
| MontaVista Software, Inc. | Unknown | 14-May-2007 |
| NEC Corporation | Unknown | 14-May-2007 |
| NetBSD | Unknown | 14-May-2007 |
| Nokia | Unknown | 14-May-2007 |
| Novell, Inc. | Not Vulnerable | 1-Jun-2007 |
| OpenBSD | Unknown | 14-May-2007 |
| Openwall GNU/*/Linux | Unknown | 14-May-2007 |
| QNX, Software Systems, Inc. | Unknown | 14-May-2007 |
| Red Hat, Inc. | Vulnerable | 15-May-2007 |
| Samba | Vulnerable | 14-May-2007 |
| Silicon Graphics, Inc. | Unknown | 14-May-2007 |
| Slackware Linux Inc. | Vulnerable | 16-May-2007 |
| Sony Corporation | Unknown | 14-May-2007 |
| Sun Microsystems, Inc. | Vulnerable | 15-May-2007 |
| SUSE Linux | Unknown | 14-May-2007 |
| The SCO Group | Unknown | 14-May-2007 |
| Trustix Secure Linux | Unknown | 14-May-2007 |
| Turbolinux | Unknown | 14-May-2007 |
| Ubuntu | Vulnerable | 16-May-2007 |
| Unisys | Unknown | 14-May-2007 |
| Wind River Systems, Inc. | Unknown | 14-May-2007 |
References
https://www.securecoding.cert.org/confluence/x/-AY
http://samba.org/samba/history/security.html
http://us4.samba.org/samba/ftp/patches/security/samba-3.0.24-CVE-2007-2447.patch
http://www.samba.org
http://secunia.com/advisories/25232/
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
http://docs.info.apple.com/article.html?artnum=306172
Credit
Thanks to Joshua J. Drake, iDefense Labs, and the Samba team for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| Date Public: | 2007-05-14 |
| Date First Published: | 2007-05-14 |
| Date Last Updated: | 2008-07-21 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2007-2447 |
| NVD-ID(s): | CVE-2007-2447 |
| US-CERT Technical Alerts: | |
| Metric: | 7.44 |
| Document Revision: | 41 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader