Vulnerability Note VU#268336

Samba command injection vulnerability

Original Release date: 14 May 2007 | Last revised: 21 Jul 2008

Overview

Samba fails to properly filter input to /bin/sh. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code on a Samba server.

Description

Samba provides file and print services for Microsoft Windows, Unix, Linux, and OS X clients. Samba can also act as a Primary Domain Controller (PDC) or as a Domain Member. Samba runs on most Unix-like systems.

Samba versions prior to 3.0.24 pass unchecked user input from RPC messages to /bin/sh when calling externals scripts that are listed in the Samba configuration file. An attacker may be able to exploit this vulnerability by sending specially crafted RPC messages to a vulnerable server.

This vulnerability occurred as a result of failing to comply with recommndation STR02-C of the CERT C Programming Language Secure Coding Standard.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary commands.

Solution

Apply a patch or upgrade
These vulnerabilities are addressed in Samba version 3.0.25. In addition, patches are available to address this vulnerability in Samba version 3.0.24. Refer to the Samba Security Releases website for more information.

Do not load external shell scripts


From the CVE-2007-2447 entry on the Samba security page:

    This defect may be alleviated by removing all defined external script invocations (username map script, add printer command, etc...) from smb.conf.

Restrict access

Limiting access to the Samba server to trusted hosts may mitigate this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected14 May 200730 Jul 2007
Debian GNU/LinuxAffected14 May 200730 Jul 2007
Gentoo LinuxAffected14 May 200716 May 2007
Red Hat, Inc.Affected14 May 200715 May 2007
SambaAffected-14 May 2007
Slackware Linux Inc.Affected14 May 200716 May 2007
Sun Microsystems, Inc.Affected14 May 200715 May 2007
UbuntuAffected14 May 200716 May 2007
Novell, Inc.Not Affected14 May 200701 Jun 2007
Conectiva Inc.Unknown14 May 200714 May 2007
Cray Inc.Unknown14 May 200714 May 2007
EMC, Inc. (formerly Data General Corporation)Unknown14 May 200714 May 2007
Engarde Secure LinuxUnknown14 May 200714 May 2007
F5 Networks, Inc.Unknown14 May 200714 May 2007
Fedora ProjectUnknown14 May 200714 May 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Joshua J. Drake, iDefense Labs, and the Samba team for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2007-2447
  • Date Public: 14 May 2007
  • Date First Published: 14 May 2007
  • Date Last Updated: 21 Jul 2008
  • Severity Metric: 7.44
  • Document Revision: 41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.