[Samba] CVE-2008-1105 - clarification request - Samba

This is a discussion on [Samba] CVE-2008-1105 - clarification request - Samba ; Hi, The announcement states: "Secunia Research reported a vulnerability that allows for the execution of arbitrary code in smbd" Does this means arbitrary code executed "as root" ou as the user that is authenticaded after smdb drops privilegies? Does this ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] CVE-2008-1105 - clarification request

  1. [Samba] CVE-2008-1105 - clarification request

    Hi,

    The announcement states:

    "Secunia Research reported a vulnerability that allows for
    the execution of arbitrary code in smbd"

    Does this means arbitrary code executed "as root" ou as the user that is
    authenticaded after smdb drops privilegies?

    Does this affect samba 2.x as well? What versions?

    Best regards
    Gustavo

    --
    Angulo Slido - Tecnologias de Informao
    http://angulosolido.pt
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] CVE-2008-1105 - clarification request

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Gustavo Homem wrote:
    > Hi,
    >
    > The announcement states:
    >
    > "Secunia Research reported a vulnerability that allows for
    > the execution of arbitrary code in smbd"
    >
    > Does this means arbitrary code executed "as root" ou as the user that is
    > authenticaded after smdb drops privilegies?


    Potentially either. smbd never drops privileges and can always
    re-become root.

    > Does this affect samba 2.x as well? What versions?


    Technically affects Samba 2.2.4 and later. but Samba 2.2 is
    reached EOL several years ago.




    cheers, jerry
    - --
    ================================================== ===================
    Samba ------- http://www.samba.org
    Likewise Software --------- http://www.likewisesoftware.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFISYarIR7qMdg1EfYRAlRYAJ9H2r9BYLx0JTkyXWrgHJ TTqNpCSACgzL9m
    H+R/lv3EeG6Qfk4JISPTfIc=
    =7wU+
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] CVE-2008-1105 - clarification request

    On Friday 06 June 2008 19:49, Gerald (Jerry) Carter wrote:
    > Gustavo Homem wrote:
    > > Hi,
    > >
    > > The announcement states:
    > >
    > > "Secunia Research reported a vulnerability that allows for
    > > the execution of arbitrary code in smbd"
    > >
    > > Does this means arbitrary code executed "as root" ou as the user that is
    > > authenticaded after smdb drops privilegies?

    >
    > Potentially either. smbd never drops privileges and can always
    > re-become root.


    Are you sure about this?

    ├─smbd─┬─2*[smbd]
    │ ├─smbd(gustavo)
    │ └─smbd(asdrubal)

    From pstree I allways see an smbd process for each user mount.

    What I want to know is if the vulnerable call is run as the local user or
    root.

    Thanks
    Gustavo


    >
    > > Does this affect samba 2.x as well? What versions?

    >
    > Technically affects Samba 2.2.4 and later. but Samba 2.2 is
    > reached EOL several years ago.
    >
    >
    >
    >
    > cheers, jerry


    --
    Angulo Sólido - Tecnologias de Informação
    http://angulosolido.pt
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] CVE-2008-1105 - clarification request

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Gustavo Homem wrote:
    > On Friday 06 June 2008 19:49, Gerald (Jerry) Carter wrote:
    >> Gustavo Homem wrote:
    >>> Hi,
    >>>
    >>> The announcement states:
    >>>
    >>> "Secunia Research reported a vulnerability that allows for
    >>> the execution of arbitrary code in smbd"
    >>>
    >>> Does this means arbitrary code executed "as root" ou as the user that is
    >>> authenticaded after smdb drops privilegies?

    >> Potentially either. smbd never drops privileges and can always
    >> re-become root.

    >
    > Are you sure about this?
    >
    > ├─smbd─┬─2*[smbd]
    > │ ├─smbd(gustavo)
    > │ └─smbd(asdrubal)
    >
    > From pstree I allways see an smbd process for each user mount.


    Yeah. I'm sure. :-) We change to the effective id of the
    user to perform certain operations. And then changes back
    to root when done (with some optimizations to minimize the
    number of security context switches).

    >
    > What I want to know is if the vulnerable call is run as the local user or
    > root.


    Potentially either. Treat this as a potential remote root
    code execution although I've only seen PoC code for clients.





    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFISZLjIR7qMdg1EfYRAjorAJsEhefQQvefNMjyp2VEIM 2IIoC3IgCgkS3D
    +TVoM9qYcepX+1evg+kK18w=
    =yaF3
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] CVE-2008-1105 - clarification request

    On Friday 06 June 2008 20:41, Gerald (Jerry) Carter wrote:
    > Gustavo Homem wrote:
    > > On Friday 06 June 2008 19:49, Gerald (Jerry) Carter wrote:
    > >> Gustavo Homem wrote:
    > >>> Hi,
    > >>>
    > >>> The announcement states:
    > >>>
    > >>> "Secunia Research reported a vulnerability that allows for
    > >>> the execution of arbitrary code in smbd"
    > >>>
    > >>> Does this means arbitrary code executed "as root" ou as the user that
    > >>> is authenticaded after smdb drops privilegies?
    > >>
    > >> Potentially either. smbd never drops privileges and can always
    > >> re-become root.

    > >
    > > Are you sure about this?
    > >
    > > ├─smbd─┬─2*[smbd]
    > > │ ├─smbd(gustavo)
    > > │ └─smbd(asdrubal)
    > >
    > > From pstree I allways see an smbd process for each user mount.

    >
    > Yeah. I'm sure. :-) We change to the effective id of the
    > user to perform certain operations. And then changes back
    > to root when done (with some optimizations to minimize the
    > number of security context switches).


    Understood. Thanks for the explanation.

    >
    > > What I want to know is if the vulnerable call is run as the local user or
    > > root.

    >
    > Potentially either. Treat this as a potential remote root
    > code execution although I've only seen PoC code for clients.


    ?? Does this vulnerability also affect the samba clients if connecting to an
    infected server?

    Best regards
    Gustavo

    --
    Angulo Sólido - Tecnologias de Informação
    http://angulosolido.pt
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread