Re: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
From: Adam Aube (aaube01_at_baker.edu)
Date: 02/11/04
- Previous message: Vineet Kumar: "Re: whew"
- In reply to: Corey Hickey: "linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: debian-user@lists.debian.org Date: Wed, 11 Feb 2004 16:44:48 -0500
On Wednesday 11 February 2004 03:04 pm, Corey Hickey wrote:
> this affects any Debian installation that uses Linux 2.6
And has smbfs installed - that is the package with smbmnt setUID root.
> Following the instructions on the original report to gain root on a
> vulnerable system (the client) is quite easy.
Provided the attacker is able to introduce a rogue Samba server onto the
network and has a shell account on the target.
> On a temporary basis, this problem can be easily mitigated:
> # chmod u-s `which smbmnt`
> ...but this prevents regular users from smbmounting.
Unless the admin puts the share in /etc/fstab with the "users" option,
which is far better than allowing local users to mount random network
filesystems.
You could file a bug against the smbfs package (since there doesn't seem
to be one already) that /usr/bin/smbmnt being setUID root opens a
security hole, and include the link to the BugTraq report.
Note that if this requires Samba 3 on the client side, then Woody isn't
affected (Woody uses a patched Samba 2.2.3a).
Adam
-- To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Vineet Kumar: "Re: whew"
- In reply to: Corey Hickey: "linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
