Samba Remote Command Injection & 3.0.25 release

==========================================================
==
== Subject: Remote Command Injection Vulnerability
== CVE ID#: CVE-2007-2447
==
== Versions: Samba 3.0.0 - 3.0.25rc3 (inclusive)
==
== Summary: Unescaped user input parameters are passed
== as arguments to /bin/sh allowing for remote
== command execution
==
==========================================================

===========
Description
===========

This bug was originally reported against the anonymous calls
to the SamrChangePassword() MS-RPC function in combination
with the "username map script" smb.conf option (which is not
enabled by default).

After further investigation by Samba developers, it was
determined that the problem was much broader and impacts
remote printer and file share management as well. The root
cause is passing unfiltered user input provided via MS-RPC
calls to /bin/sh when invoking externals scripts defined
in smb.conf. However, unlike the "username map script"
vulnerability, the remote file and printer management scripts
require an authenticated user session.

==================
Patch Availability
==================

A patch against Samba 3.0.24 has been posted at

http://www.samba.org/samba/security/

==========
Workaround
==========

This defect may be alleviated by removing all defined
external script invocations (username map script, add
printer command, etc...) from smb.conf.

The Samba Team always encourages users to run the latest
stable release as a defense against attacks. If this
is not immediately possible, administrators should read
the "Server Security" documentation found at

http://www.samba.org/samba/docs/server_security.html

--------------------------------------------------------------------------

Samba 3.0.25 release

Major features included in the 3.0.25 code base include:

o Significant improvements in the winbind off-line logon support.
o Support for secure DDNS updates as part of the 'net ads join'
process.
o Rewritten IdMap interface which allows for TTL based caching and
per domain backends.
o New plug-in interface for the "winbind nss info" parameter.
o New file change notify subsystem which is able to make use of
inotify on Linux.
o Support for passing Windows security descriptors to a VFS
plug-in allowing for multiple Unix ACL implements to running side
by side on the Same server.
o Improved compatibility with Windows Vista clients including
improved read performance with Linux servers.
o Man pages for IdMap and VFS plug-ins.

Security Fixes included in the Samba 3.0.25 release are:

o CVE-2007-2444
Versions: Samba 3.0.23d - 3.0.25pre2
Local SID/Name translation bug can result in
user privilege elevation

o CVE-2007-2446
Versions: Samba 3.0.0 - 3.0.24
Multiple heap overflows allow remote code execution

o CVE-2007-2447
Versions: Samba 3.0.0 - 3.0.24
Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution

Off-line Logons and AD Site Support
===================================

Winbind's capability to support offline logons has been greatly
improved with the 3.0.25 release including support for locating
domain controllers asynchronously using Active Directory Site
information.

New IdMap Interface for Winbindd
================================

The 3.0.25 release of Samba includes a rewritten IdMap interface
for winbindd which replaces the "idmap backend" parameter. Please
refer to the "idmap domains" description in the smb.conf(5) man
page for more details.

Dynamic DNS Updates
===================

The "net ads join" command is now able to register the host's DNS A
records with Windows 2000 SP4 and 2003 DNS servers. This
feature must be enabled at compile time using the --with-dnsupdate
when running the ./configure script. There is also a related "net ads
dns" command for refreshing a host's records which could be launched
from a dhcp client script when a new IP address is obtained.

Support for Additional ACL Modules
==================================

Samba's POSIX ACL support has been moved inside of the VFS layer
which means it is now possible to support multiple ACL implementations
on the same server including NFSv4 and GPFS ACLs.

VFS ReadAhead Plugin
====================

Windows Vista introduces pipe-lined read support for improved
performance when transferring files. The new vfs_readahead plugin
allows Linux file servers to utilize additional Kernel buffers
for caching files in order to avoid Disk I/O wait time when serving
Vista clients. If you experience poor read performance between
Linux servers and Vista clients, please test the vfs_readahead
module by adding the following lines to the share definition
in smb.conf:

[file_share]
vfs objects = readahead

Note that this plugin will result in additional RAM requirements
due to the increased amount of kernel buffer caches used by smbd.
Please refer to vfs_readahead( 8 ) for more information.

Windows Vista, Office 2007, and Offline Files
=============================================

Research surrounding offline files, Windows Vista, and Microsoft
Office 2007 has revealed a incompatibility between these
applications and the "map acl inherit = no" setting in smb.conf.
Users requiring support client side caching (csc) and offline
files are encouraged to enable the "map acl inherit" for any
affected share definitions in the server's configuration.
Future versions of Samba will enable this setting by default.

Please refer to the smb.conf(5) man page for more details on
"map acl inherit".

관련 링크: http://samba.org