Re: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org

To: debian-user@lists.debian.org
Subject: Re: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
From: Adam Aube <aaube01@baker.edu>
Date: Wed, 11 Feb 2004 16:44:48 -0500
Message-id: <[🔎] 200402111644.49533.aaube01@baker.edu>
In-reply-to: <[🔎] 402A8AD1.1040804@fatooh.org>
References: <[🔎] 402A8AD1.1040804@fatooh.org>

On Wednesday 11 February 2004 03:04 pm, Corey Hickey wrote:
> this affects any Debian installation that uses Linux 2.6

And has smbfs installed - that is the package with smbmnt setUID root.

> Following the instructions on the original report to gain root on a
> vulnerable system (the client) is quite easy.

Provided the attacker is able to introduce a rogue Samba server onto the 
network and has a shell account on the target.

> On a temporary basis, this problem can be easily mitigated:
> # chmod u-s `which smbmnt`
> ...but this prevents regular users from smbmounting.

Unless the admin puts the share in /etc/fstab with the "users" option, 
which is far better than allowing local users to mount random network 
filesystems.

You could file a bug against the smbfs package (since there doesn't seem 
to be one already) that /usr/bin/smbmnt being setUID root opens a 
security hole, and include the link to the BugTraq report.

Note that if this requires Samba 3 on the client side, then Woody isn't 
affected (Woody uses a patched Samba 2.2.3a).

Adam

Reply to:

References:
- linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
  - From: Corey Hickey <bugfood-ml@fatooh.org>

Prev by Date: Re: whew
Next by Date: mysql 4.1.1 debian package
Previous by thread: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
Next by thread: Howto reinstall corrupted package?
Index(es):
- Date
- Thread