Samba flaw threatens Linux file servers

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002-995834.html

By Robert Lemos 
Staff Writer, CNET News.com
April 7, 2003,

The Samba Team released a patch on Monday for the second major
security flaw found in the past few weeks in the open-source group's
widely used program for sharing Windows files between Unix and Linux
systems.

The security problem could easily let an attacker compromise any Samba
server connected to the Internet. The vulnerability is unrelated to
the previous flaw, for which Samba released a patch on March 17.

"If it was related to the previous flaw, we would have found it when
we audited the code," said Jeremy Allison, co-author of Samba and a
leader of the Samba Team. "This has been in the code for seven or
eight years."

The vulnerability, found by security firm Digital Defense, is already
being used by online attackers to compromise vulnerable servers, the
company warned in an advisory.

"Samba users are urged to check their Samba servers for compromise,"  
the San Antonio-based company stated in the warning. "Samba and
Digital Defense Inc. decided to release their advisories before all
vendors had a chance to update their packages due to this
vulnerability being actively exploited."

Digital Defense found the vulnerability because the security firm had
been monitoring a file server as it was compromised. The company found
the vulnerability that allowed the attacker to gain entry by
reverse-engineering the network data.

Digital Defense verified that the Samba software that runs on major
Linux distributions as well as FreeBSD and Sun Microsystems' Solaris
operating system were affected. Operating system companies have
already started to release their fixes.

However, a hiccup in Digital Defense's release of the advisory has
added a twist to the situation that could make the threat more
serious. While the company noted that some hackers obviously knew of
the method by which the vulnerability could be exploited, it also made
the apparent mistake of posting its own exploit onto its Web site.

The advisory has a link for a section of the Web site with security
tools, one of which is a script written in the PERL programming
language that quickly takes advantage of the security hole. Called
"trans2root.pl," the script causes the compromised computer to return
a root shell, which allows an attacker full access to the victim's
computer.

Rick Fleming, chief technology officer for Digital Defense, said that
someone picked the wrong advisory to post to the company's public Web
site.

"We think it was inadvertent on our part," he said. "We are looking to
remedy that situation. What we intended to release was only an
advisory and not the exploit code."

Apparently, the company produces two copies of advisories: one for
internal use and another for publication. The one that it sent out to
the security community was apparently the former.

Samba's Allison said that's a major problem.

"I am grateful to them; we worked well together up until the release,"  
he said. "I just wish they hadn't released the code the day of the
announcement. If they had waited a week that would have been better."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.