[ISN] Samba flaw threatens Linux file servers

From: InfoSec News (isnat_private)
Date: Tue Apr 08 2003 - 04:18:03 PDT

  • Next message: InfoSec News: "[ISN] Lawmaker Stopped at City Hall For No ID"

    http://news.com.com/2100-1002-995834.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    April 7, 2003,
    
    The Samba Team released a patch on Monday for the second major
    security flaw found in the past few weeks in the open-source group's
    widely used program for sharing Windows files between Unix and Linux
    systems.
    
    The security problem could easily let an attacker compromise any Samba
    server connected to the Internet. The vulnerability is unrelated to
    the previous flaw, for which Samba released a patch on March 17.
    
    "If it was related to the previous flaw, we would have found it when
    we audited the code," said Jeremy Allison, co-author of Samba and a
    leader of the Samba Team. "This has been in the code for seven or
    eight years."
    
    The vulnerability, found by security firm Digital Defense, is already
    being used by online attackers to compromise vulnerable servers, the
    company warned in an advisory.
    
    "Samba users are urged to check their Samba servers for compromise,"  
    the San Antonio-based company stated in the warning. "Samba and
    Digital Defense Inc. decided to release their advisories before all
    vendors had a chance to update their packages due to this
    vulnerability being actively exploited."
    
    Digital Defense found the vulnerability because the security firm had
    been monitoring a file server as it was compromised. The company found
    the vulnerability that allowed the attacker to gain entry by
    reverse-engineering the network data.
    
    Digital Defense verified that the Samba software that runs on major
    Linux distributions as well as FreeBSD and Sun Microsystems' Solaris
    operating system were affected. Operating system companies have
    already started to release their fixes.
    
    However, a hiccup in Digital Defense's release of the advisory has
    added a twist to the situation that could make the threat more
    serious. While the company noted that some hackers obviously knew of
    the method by which the vulnerability could be exploited, it also made
    the apparent mistake of posting its own exploit onto its Web site.
    
    The advisory has a link for a section of the Web site with security
    tools, one of which is a script written in the PERL programming
    language that quickly takes advantage of the security hole. Called
    "trans2root.pl," the script causes the compromised computer to return
    a root shell, which allows an attacker full access to the victim's
    computer.
    
    Rick Fleming, chief technology officer for Digital Defense, said that
    someone picked the wrong advisory to post to the company's public Web
    site.
    
    "We think it was inadvertent on our part," he said. "We are looking to
    remedy that situation. What we intended to release was only an
    advisory and not the exploit code."
    
    Apparently, the company produces two copies of advisories: one for
    internal use and another for publication. The one that it sent out to
    the security community was apparently the former.
    
    Samba's Allison said that's a major problem.
    
    "I am grateful to them; we worked well together up until the release,"  
    he said. "I just wish they hadn't released the code the day of the
    announcement. If they had waited a week that would have been better."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 07:22:12 PDT