Bugtraq mailing list archives
Re: Samba 3.x + kernel 2.6.x local root vulnerability
From: "Patrick J. Volkerding" <security () slackware com>
Date: Mon, 9 Feb 2004 15:07:38 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 9 Feb 2004, Seth Arnold wrote:
On Mon, Feb 09, 2004 at 10:23:03PM +0100, Michal Medvecky wrote:Confirmed to work on all 2.6.x kernels, not confirmed on 2.4.x.I haven't got a clue what you're trying to accomplish. If you don't want a setuid execute, DON'T RUN chmod +s! You don't even need samba to accomplish this:
Note that two machines are involved here, the server (sharing the setuid binary), and the client (the victim, which mounts the share and runs the binary; the attacker must have a local account here). The problem stems from the setuid root smbmnt. When you install Samba from source, /usr/bin/smbmnt is not setuid root by default, but several Linux distributions seem to ship it this way (Slackware does not). With smbmnt setuid root, any user with a local account can gain root if they can set up a Samba server that can be mounted from the victim machine. At the least, if you're going to run smbmnt setuid root, you should make an smbmnt group and only allow group members to execute it. The members of the group could still exploit this hole, but not other users. Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAKBK+akRjwEAQIjMRAhl3AJ9xL0tWhZuP7poPVhY1tQ4SmKTi4ACfetQm g8ktzk0I4h4q2AyJs67sESY= =49Nk -----END PGP SIGNATURE-----
Current thread:
- Samba 3.x + kernel 2.6.x local root vulnerability Michal Medvecky (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Michael Kjorling (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Seth Arnold (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Patrick J. Volkerding (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Frank Louwers (Feb 11)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Urban Widmark (Feb 12)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Darren Reed (Feb 13)
- Message not available
- Message not available
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Guille -bisho- (Feb 10)
- Message not available
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Felipe Franciosi (Feb 11)
- <Possible follow-ups>
- RE: Samba 3.x + kernel 2.6.x local root vulnerability John . Airey (Feb 11)