Re: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
On Wednesday 11 February 2004 03:04 pm, Corey Hickey wrote:
> this affects any Debian installation that uses Linux 2.6
And has smbfs installed - that is the package with smbmnt setUID root.
> Following the instructions on the original report to gain root on a
> vulnerable system (the client) is quite easy.
Provided the attacker is able to introduce a rogue Samba server onto the
network and has a shell account on the target.
> On a temporary basis, this problem can be easily mitigated:
> # chmod u-s `which smbmnt`
> ...but this prevents regular users from smbmounting.
Unless the admin puts the share in /etc/fstab with the "users" option,
which is far better than allowing local users to mount random network
filesystems.
You could file a bug against the smbfs package (since there doesn't seem
to be one already) that /usr/bin/smbmnt being setUID root opens a
security hole, and include the link to the BugTraq report.
Note that if this requires Samba 3 on the client side, then Woody isn't
affected (Woody uses a patched Samba 2.2.3a).
Adam
Reply to: