==========================================================
==
== Subject: Remote Command Injection Vulnerability
== CVE ID#: CVE-2007-2447
==
== Versions: Samba 3.0.0 - 3.0.25rc3 (inclusive)
==
== Summary: Unescaped user input parameters are passed
== as arguments to /bin/sh allowing for remote
== command execution
==
==========================================================

===========
Description
===========

This bug was originally reported against the anonymous calls
to the SamrChangePassword() MS-RPC function in combination
with the "username map script" smb.conf option (which is not
enabled by default).

After further investigation by Samba developers, it was
determined that the problem was much broader and impacts
remote printer and file share management as well. The root
cause is passing unfiltered user input provided via MS-RPC
calls to /bin/sh when invoking externals scripts defined
in smb.conf. However, unlike the "username map script"
vulnerability, the remote file and printer management scripts
require an authenticated user session.

==================
Patch Availability
==================

A patch against Samba 3.0.24 has been posted at

http://www.samba.org/samba/security/

==========
Workaround
==========

This defect may be alleviated by removing all defined
external script invocations (username map script, add
printer command, etc...) from smb.conf.

The Samba Team always encourages users to run the latest
stable release as a defense against attacks. If this
is not immediately possible, administrators should read
the "Server Security" documentation found at

http://www.samba.org/samba/docs/server_security.html

--------------------------------------------------------------------------

Samba 3.0.25 release

Major features included in the 3.0.25 code base include:

o Significant improvements in the winbind off-line logon support.
o Support for secure DDNS updates as part of the 'net ads join'
process.
o Rewritten IdMap interface which allows for TTL based caching and
per domain backends.
o New plug-in interface for the "winbind nss info" parameter.
o New file change notify subsystem which is able to make use of
inotify on Linux.
o Support for passing Windows security descriptors to a VFS
plug-in allowing for multiple Unix ACL implements to running side
by side on the Same server.
o Improved compatibility with Windows Vista clients including
improved read performance with Linux servers.
o Man pages for IdMap and VFS plug-ins.

Security Fixes included in the Samba 3.0.25 release are:

o CVE-2007-2444
Versions: Samba 3.0.23d - 3.0.25pre2
Local SID/Name translation bug can result in
user privilege elevation

o CVE-2007-2446
Versions: Samba 3.0.0 - 3.0.24
Multiple heap overflows allow remote code execution

o CVE-2007-2447
Versions: Samba 3.0.0 - 3.0.24
Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution

Off-line Logons and AD Site Support
===================================

Winbind's capability to support offline logons has been greatly
improved with the 3.0.25 release including support for locating
domain controllers asynchronously using Active Directory Site
information.

New IdMap Interface for Winbindd
================================

The 3.0.25 release of Samba includes a rewritten IdMap interface
for winbindd which replaces the "idmap backend" parameter. Please
refer to the "idmap domains" description in the smb.conf(5) man
page for more details.

Dynamic DNS Updates
===================

The "net ads join" command is now able to register the host's DNS A
records with Windows 2000 SP4 and 2003 DNS servers. This
feature must be enabled at compile time using the --with-dnsupdate
when running the ./configure script. There is also a related "net ads
dns" command for refreshing a host's records which could be launched
from a dhcp client script when a new IP address is obtained.

Support for Additional ACL Modules
==================================

Samba's POSIX ACL support has been moved inside of the VFS layer
which means it is now possible to support multiple ACL implementations
on the same server including NFSv4 and GPFS ACLs.

VFS ReadAhead Plugin
====================

Windows Vista introduces pipe-lined read support for improved
performance when transferring files. The new vfs_readahead plugin
allows Linux file servers to utilize additional Kernel buffers
for caching files in order to avoid Disk I/O wait time when serving
Vista clients. If you experience poor read performance between
Linux servers and Vista clients, please test the vfs_readahead
module by adding the following lines to the share definition
in smb.conf:

[file_share]
vfs objects = readahead

Note that this plugin will result in additional RAM requirements
due to the increased amount of kernel buffer caches used by smbd.
Please refer to vfs_readahead( 8 ) for more information.

Windows Vista, Office 2007, and Offline Files
=============================================

Research surrounding offline files, Windows Vista, and Microsoft
Office 2007 has revealed a incompatibility between these
applications and the "map acl inherit = no" setting in smb.conf.
Users requiring support client side caching (csc) and offline
files are encouraged to enable the "map acl inherit" for any
affected share definitions in the server's configuration.
Future versions of Samba will enable this setting by default.

Please refer to the smb.conf(5) man page for more details on
"map acl inherit".

관련 링크: http://samba.org

  1. first4you 2007.05.26 18:49

    Samba 3.0.25a release

    =====================
    Release Announcements
    =====================

    This is the second production release of the Samba 3.0.25 code
    base and is the version that servers should be run for for all
    current bug fixes.

    Major bug fixes included in Samba 3.0.25a are:

    o Missing supplementary Unix group membership when using "force group".
    o Premature expiration of domain user passwords when using a Samba domain controller.
    o Failure to open the Windows object picker against a server configured to use
    "security = domain".
    * Authentication failures when using security = server.


    Changes to MS-DFS Root Share Behavior
    =====================================

    Please be aware that the initial value for the "msdfs root" share parameter was changed
    in the 3.0.25 release series and

    that this option is now disabled by default. Windows clients frequently require a reboot
    in order to clear any cached

    information about MS-DFS root shares on a server and you may experience failures
    accessing file services on Samba 3.0.25 servers until the client reboot is performed.
    Alternately, you may explicitly re-enable the parameter in smb.conf.
    Please refer to the smb.conf(5) man page for more details.



    ================
    Download Details
    ================

    The uncompressed tarballs and patch files have been signed
    using GnuPG (ID 6568B7EA). The source code can be downloaded
    from:

    http://download.samba.org/samba/ftp/

    The release notes are available online at:

    http://www.samba.org/samba/history/samba-3.0.25a.html

    Binary packages are available at

    http://download.samba.org/samba/ftp/Binary_Packages/

    Our Code, Our Bugs, Our Responsibility.
    (https://bugzilla.samba.org/)

  2. first4you 2007.06.28 02:57

    ==============================================================
    Release Announcements
    =====================

    This is the third production release of the Samba 3.0.25 code
    base and is the version that servers should be run for for all
    current bug fixes.

    Major bug fixes included in Samba 3.0.25b are:

    o Offline caching of files with Windows XP/Vista clients.
    o Improper cleanup of expired or invalid byte range locks
    on files.
    o Crashes is idmap_ldap and idmap_rid.


    Changes to 'net idmap dump'
    ===========================

    A change in command line syntax and behavior was introduced in the
    3.0.25 release series where the command

    $ net idmap dump /.../path/to/idmap.tdb

    would overwrite the tdb instead of dumping its contents to standard
    output as was the case in releases prior to Samba 3.0.25. The
    changed has been reverted in 3.0.25b and the semantics from 3.0.24
    and earlier releases have been restored.


    ================
    Download Details
    ================

    The uncompressed tarballs and patch files have been signed
    using GnuPG (ID 6568B7EA). The source code can be downloaded
    from:

    http://download.samba.org/samba/ftp/

    The release notes are available online at:

    http://www.samba.org/samba/history/samba-3.0.25b.html

    Binary packages are available at

    http://download.samba.org/samba/ftp/Binary_Packages/

    Our Code, Our Bugs, Our Responsibility.
    (https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

+ Recent posts