Samba Exploit Discovered, Fixed 272
An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?"
elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."
Okay everybody... (Score:3, Funny)
Re:Okay everybody... (Score:5, Funny)
Whoah, slow down there buddy. We gotta check the list.
-Microsoft? No.
-RIAA/MPAA? No.
-IBM? No.
-Amazon? No.
-TurboTax? No.
Sorry, Samba's not on the list. Turn in your pitchfork for a song of praise.
Re:Okay everybody... (Score:2)
Ummm. You might want to check the date on that list. IBM are "good guys" now. I know. Its wierd. I consider it proof of a Universe with perverse humor - and even business is not sacred.
Of course - I'm not sure where your list came from. When IBM was 'evil', Microsoft were up-and-coming, scrappy underdogs (kind of good-guy in contrast, I suppose). And Amazon was a geography reference. TurboTax doesn't
Re:Okay everybody... (Score:2)
I was thinking about IBM's defective hard drives and laptop batteries.
"TurboTax doesn't seem like it should even show up anywhere."
Um, have you been reading Slashdot [slashdot.org] lately?
Re:Okay everybody... (Score:2)
Re:Okay everybody... (Score:2)
Linux: opening up holes in MS Networks since 1995.
Mondays? (Score:5, Funny)
Re:Mondays? (Score:3, Funny)
Re:Mondays? (Score:5, Funny)
Samba is just trying to emulate every aspect of a Windows server, including Windows patch Mondays.
Yet another compatibility feature we can check off the list.
Re:Mondays? (Score:2)
Already fixed in FreeBSD ports (Score:5, Informative)
samba 2.2.8a
Update 2.2.8 -> 2.2.8a.
Submitted by: dwcjr (MAINTAINER)
I already updated my installation 4 hours ago, the FreeBSD folk are fast
This is what is fixed by the update:
(1) Sebastian Krahmer of the SuSE Security Team identified
vulnerabilities that could lead to arbitrary code execution as root,
as well as a race condition that could allow overwriting of system
files. (This vulnerability was previously fixed in Samba 2.2.8.)
(2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
correctly, leads to an anonymous user gaining root access on a Samba
serving system. All versions of Samba up to and including Samba 2.2.8
are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
vulnerable.''
Re:Already fixed in FreeBSD ports (Score:2, Informative)
Debian also has this fixed. I just checked right now, but according to the timestamps on the servers it looks like it took place around 11:00 today.
Feature? (Score:5, Funny)
Re:Feature? (Score:5, Interesting)
more than 8 years.
Yes, they crash your MS SMB server. Yes, we've told
Microsoft about them.
Microsoft don't always fix bugs if there are no active
exploits against them and knowledge of them is limited.
I guess they just trust that we don't release exploits
Jeremy Allison,
Samba Team.
Re:Feature? (Score:2)
Well, let's see one then. I'm not challenging you and I'm not saying they don't exist, but if you say they do exist then I'd be interested in looking at them.
Thanks.
Re:Feature? (Score:5, Interesting)
I had access to I would be able to show you. I will
not release the code publicly (for obvious reasons).
Knowledge of these bugs would allow worms/viruses to
utterly cripple Microsoft based corporate networks.
If you choose not to believe me without exploit code
then that's up to you, but I will not act in an
unprofessional way to prove a point.
Jeremy Allison,
Samba Team.
Re:Feature? (Score:4, Interesting)
Re:Feature? (Score:4, Insightful)
I have to catalogue Microsoft bugs as Samba has to
interoperate with some of them (if you'd ever looked
at Samba code you'd know what we sometimes have to
do to work around Microsoft bugs).
Yes, I sometimes screw up and write bad code, as does
every software engineer I've ever worked with.
With Open Source, you get to see such things in public,
rather than being hidden. Even though this was my
problem I know which way of developing code I prefer,
and I've developed my share of proprietary code in
my time...
Jeremy Allison,
Samba Team.
Jeremy (Score:2)
Re:Feature? (Score:2)
If so, are any of the security bugs still exploitable? Microsoft stopped new feature work for 2 months to fix security bugs and then focused heavily on security bugs since then, so these bugs should be fixed. If not, many people at Microsoft would like to know before it hits the store shelves.
Re:Feature? (Score:5, Insightful)
to give any crackers ideas on how to exploit them.
Microsoft know and they are the only people who can
do anything about it, it's *their* code, not mine
Me describing the problem to you will make the problem
worse, not better.
If people find bugs in my code I want them to tell me
and I fix them asap. If they are security related I
want them to give me warning first before going public.
This is what we have done with Microsoft, it's the
responsible, professional thing to do. What gets done
about it is *their* decision, not mine (or yours).
Jeremy Allison,
Samba Team.
Re:Feature? (Score:2)
Hmmmn: Jeremy uses these SMB bugs to blackmail MS (Score:2)
Nice work on Samba btw. I Have to point out that you are deliberately leaving out a large part of the disclosure argument. If you gave out further details about these security issues with MS SMB, it may prompt microsoft to do something about it. This is (arguably) the best thing to do - expolits for these holes may exist in the wild without MS knowing (like there was with samba...), so they should really be pushed harder to do something about it.
I get the feeling that you are being a little p
Re:Feature? (Score:3, Interesting)
that Microsoft has no bugs that are this severe that have
not been fixed for this long. I know this to be false. I
don't really care if you believe me or not.
Jeremy Allison,
Samba Team.
Re:Feature? (Score:3, Informative)
told them. The flaws are in their code. If you had access
to Microsoft source code and could fix them, I'd tell you.
But you don't, that's the problem. All you could do is
create mischief with the knowledge. I don't see why I have
any professional obligations to help you with that.
Jeremy Allison,
Samba Team.
Re:Feature? (Score:3, Interesting)
for fixing bugs by proprietary companies, but don't
ascribe the same motivations to Open Source/Free
Software developers.
Imagine you were designing a bridge, but got it
wrong. The bridge gets built, but you know a certain
pattern of cars going accross in a certain order could
cause it to collapse.
Would you tell the local authority and accept the
blame ? If you didn't, how could you sleep at night ?
Jeremy Allison,
Samba Team.
Re:Feature? (Score:3, Funny)
Which MS SMB server? (Score:2)
Re:Feature? (Score:2)
doubt my statement without backup.
I know the problem in the code I wrote for Samba
is bad, I am simply pointing out that I am aware of bugs
within Windows that are as severe, and have persisted
for 8 years also. I pointed this out because of an AC
comment that Microsoft code quality is higher (although
unless they are able to look at it I wonder how they know
I will mail you the code when you request it from your
security@microsoft.com address, otherwise
Go away troll (Score:2)
Pull the other one.
These bugs have been sent to security@microsoft.com, with no response. Why should sending them to you be any more effective?
Disclosing bugs is only useful if there is a fix, or if they're being exploited in the wild. Some of the bugs known by the Samba team are apparently not being exploited,
Re:Feature? (Score:3, Informative)
It only allows those with no talent (the script kiddies)
to cause trouble for people trying to maintain systems.
Inform the vendor, if the vendor does nothing, tell the
world it is broken, demo your exploit to some journalists
if you like.
But releasing exploit code is the programming equivalent
to leaving a pile of fully loaded weapons outside a school.
Jeremy Allison,
Samba Team.
Raining Open Source bugs? (Score:2)
Re:Raining Open Source bugs? (Score:2, Insightful)
Re:Raining Open Source bugs? (Score:3, Informative)
As far as people patching them, that's another topic altogether.
Almost every software has bugs... be it disclosed or not disclosed.
8 Years?? (Score:5, Funny)
Oh wait...
Re:8 Years?? (Score:5, Informative)
(I'm just hoping not in threes
Once one gets discovered then people look for others in
the same project.
The first one was found by a SuSE audit, and we went through
and fixed all related code. This one was found 'in the wild'
so to speak. I'm not sure how long the cracker community
has known about this one.
I'm to blame as both were in code I wrote a long time ago
Jeremy Allison,
Samba Team.
Re:8 Years?? (Score:2, Interesting)
You see a story about a bug, and the author quickly replies "Ya, I coded this part. I missed this bug."
Jeremy, congrats to you for having guts to stand up and admit fault. This kind of integrity is why open source is such a great movement.
Re:8 Years?? (Score:2)
---
Don't use so many caps.Don't use so many caps.Don't use so many caps.
Re:8 Years?? (Score:4, Insightful)
Oracle or Sun for your losses in the real world and
won any damages ?
In Open Source you know who messed up. You have their
email address and phone number. You have a basis for
trust or not based on past reputation/performance.
You have *no idea* who wrote any of the Microsoft code,
or any other proprietary code - and no recourse to fix
problems that cause you losses other than to beg the
vendor for a fix.
And you'd better ask nicely, in case you don't give
them enough money.
Good luck on getting your damages from Microsoft for
the last virus outbreak, you're going to need it
Jeremy Allison,
Samba Team.
Re:8 Years?? (Score:2)
More to the point they care. I have this messed up existence, half in OSS and half dealing with MS's products and I'm constantly amazed at the pride OSS coders have in their work, and the level of repsonsibility shown by the community in dealing with problems such as this.
Proving a point, a quick apt-get update, apt-get upgrade and
Re:apt-get (Score:2)
Eh? In what way, only one step? I must admit that I really don't know why there isn't an all in one "updateupgrade", but hey.
windows update is really simple and useful for a "desktop user" IMHO
Yeah, I guess. In that it only covers the bugs that MS feels fit to fix on any given day, you're not going to get a lot easier than windows update. But servers are a different kettle of fish
Re:8 Years?? (Score:2)
No kidding (Score:2)
At least with open source people can't hide their crappy code behind a black box. Thats the point of open source.
Oh wait, you're a troll.. ah well you got modded up so thats that.
Re:No kidding (Score:2)
RTFA - exploits for this one have been in the wild for a while The only reason it was found is because somebody looked at a packet trace, not the source code.
Re:No kidding (Score:2)
It's obvious you don't write software, otherwise you'd know that when it's debugged, you don't just read the code to solve the problem... but having the code to begin with is bloody indispensable.
Try saying something relevant next time...
Re:No kidding (Score:2)
This one was discovered last Thursday, and five days to patch a remote root vulnerability with exploits already in the wild is not very good in my book.
when it's debugged, you don't just read the code to solve the problem
My point is that releasing code to the public does nothing to improve security. Nothing was stopping anybody from looking at the source code and/or loading Samba into a debugger and finding this problem, and yet this vulnerability has ex
Re:No kidding (Score:4, Insightful)
reported, and that was mainly due to mail propagation
delays from Australia ! We had to co-ordinate the
release with all the Samba vendors, that's what took
the time.
Your point about code auditing is incorrect. No company
pays the sort of money needed to do the amount of code
auditing a major OSS project gets *for free* by the
vendor community. Yes, they could do this, but proprietary
software companies simply don't spend the money on engineering
resources to be used in this way. Not even Microsoft.
Jeremy Allison,
Samba Team.
Re:No kidding (Score:3, Interesting)
I'm not sure it really matters why the delay occurred - maybe that's something to work on for next time. Even if the fix could not be released immediately, it may have been a good idea to alert people that a problem existed so they could take additional precautions while the coordination effort
Use Systrace (Score:5, Interesting)
Re:Use Systrace (Score:2)
Re:Use Systrace (Score:2)
You are right, it's not perfect, but nothing is. It's certainly one huge step-up from the current situation.
Re:Use Systrace (Score:2)
There's a lot of legacy code that was created in a more innocent time when computers were not connected to the outside world or exploits were uncommon.
In those days, there were no requirements to address non-existent problems and rightly so from a business perspective.
If you are writing code from scratch today you're expected to take exploits into consideration, but it's not fair to blame legacy programmers for not predicting the future.
Re:Use Systrace (Score:2)
These are certainly some causes, but I suspect many of the problems in Samba and Windows are due to the protocol being incredibly complex and kludgy.
Complexity is the enemy of security, and CIFS/SMB/etc has a superabundance of complexity. In fact it's not a single protocol but a multitude of different, inconsistent, interacting protocols.
For example a lot o
Re:Use Systrace (Score:5, Insightful)
of security bugs than Windows, but not exploits.
Most of the Windows security bugs you never hear about
or are silently fixed by Microsoft in the next service
pack with no advisory.
You're watching sausage being made in the open. Fun
isn't it (but at least it's educational).
Jeremy Allison,
Samba Team.
Re:Use Systrace (Score:2)
of security bugs than Windows, but not exploits.
[No human being should take the following seriously. There, that's my anti-flamebait defense for the following].
I don't know who you are, Mr. Jeremy Allison, but your name is obviously fake. You're definately using a pseudonym, because no man on the face of the earth could possibly have a woman's first name as a last name and have any credibility in the software world.
I grew up with a young man named 'Tr
Re:Use Systrace (Score:5, Insightful)
Number of bugs is relevant, but only mildly. How about considering the length of time from first discovery, black hat OR white hat, to public notification, and then time of patching? How reliable are said patches with regards to overall system stability?
I'd go so far as to say that it's a *good* thing that SecurityFocus is posting twice as many bugs as Windows (if indeed they are)...If you consider the scope of Linux and Windows to be equivalent, and thus the sizes of the codebase to be approximately equal, and approximate the number of possible bugs to be equal, then it means that Linux bugs get fixed more quickly because they can be independently discovered, worked around, and fixed.
How many bugs are there in Microsoft code that IT *doesn't* know about, but black hats do? How many bugs are there in Microsoft code that Microsoft knows about, but IT doesn't?
Re:Use Systrace (Score:2)
Case in point is the parent post. Do some research 'bub. If you know who you just called a troll you'd probably want to dig yourself a hole to crawl into for a while. If not, well, you're probably desgined for middle management.
Cheers.
Here is the article from news.com (Score:2, Informative)
The Samba Team released a patch on Monday for the second major security flaw found in the past few weeks in the open-source group's widely used program for sharing Windows files between Unix and Linux systems.
The security problem could easily let an attacker compromise any Samba server connected to the Internet. The vulnerability is unrelated to the previous flaw, which Samba released a patch for on March 17.
"If it was related to the previous flaw, we would have found it when we audited the code," said J
terminology question... (Score:3, Insightful)
Now, I'm not a native english speaker, but I'd think that the software would contain a vulnerability and that the skr1pt k1ddi3z use exploits to, ehh, exploit the vulnerabilities.
Re:terminology question... (Score:2)
This one got discovered because the skr1pt k1ddi3z had an exploit and used it against the system the auditors were watching.
Sound like reporting an exploit is correct, eh?
Re:terminology question... (Score:2)
Red Hat RHSA-2003-095? (Score:2)
If it is, RH has had this licked since April Fool's. At least someone was being productive that day.
Re:Red Hat RHSA-2003-095? (Score:2)
I definitly "had a case of the mondays"!@! (Score:3, Funny)
No, I spent monday yelling at people trying to explain to them "WHY" they need to updgrade. Dumb S.A.'s.
Low and behold an intern sysadmin tells me "Looks like someone has a case of the mondays!"
...It's ok...just wait until he sees me put his pink slip in his
Rob
Re:I definitly "had a case of the mondays"!@! (Score:2)
It's ok...just wait until he sees me put his pink slip in his
Don't forget to put a cover page on it. You did get the memo didn't you?
One word (Score:2)
Err (Score:3, Funny)
Re:Err (Score:2)
Whoa! (Score:5, Funny)
Conspiracy theory: He created this bug because he's a karma whore!! :)
Re:Whoa! (Score:5, Funny)
8 years to come to fruition.....
Now I'll have to kill you
Jeremy.
Re:Whoa! (Score:2)
Wow (Score:4, Interesting)
In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.
Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.
No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money
Zorton
btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know
Mandrake Advisory (Score:2)
Samba Exploit Discovered, Fixed.. (Score:2)
Re:so... (Score:2, Insightful)
Re:so... (Score:2, Insightful)
Re:20th post? (Score:4, Interesting)
the email tridge (Andrew Tridgell) had posted the
patch.
The wait was because we had to inform all the vendors
of Samba software (and there are *lots*) and co-ordinate
so that no one would be left vulnerable. Monday was
the earliest we could release and cover everyone (although
we were tempted to release friday - but we got beaten up
for releasing over a weekend last time
Jeremy Allison,
Samba Team.
Re:20th post? (Score:2)
Re:Open Disclosure of Active exploits (Score:3, Informative)
listen to what the vendors wanted, after all they are
the ones whose customers are on the line.
Jeremy Allison,
Samba Team.
Re:Super (Score:3, Interesting)
If I were running Samba, I'd be worried about remote root exploits inside the firewall too.
Re:Super (Score:5, Informative)
The point is, it's insecure. It doesn't matter if it probably will never be exploited, but it COULD be exploited if an opportunity to do so presented itself. Find a hole, patch it up, then resume the search for the next bug.
-Restil
Re:Super (Score:2)
Oi! I can't beleive how many people miss this really. It's not an issue when you work in a 30 person company, but where I'm at now we have 425,000 employees. I'd wager at least 100,000 of them have PCs on the network too. That's a HUGE area of exploit if you ask me.
In a 30 person company you could walk out the door after hours and p
Re:Super (Score:2)
Besides, firewalls aren't worth shit. Systems need to be secured as though there was no firewall in place. Partly because there are crackers inside of them.
Re:Don't worry guys! (Score:5, Informative)
these recent vulnerabilities.
The problem was that the written code *worked*, as in if
it was given well-formed SMB packets it behaved correctly,
even though it was in a little used part of the code.
Because it worked 'out of the box' as it were, with
Windows clients there was little reason to examine it.
It's code that has a problem that gets looked at first.
I'm not trying to absolve myself of blame, after all, I
wrote the buggy code, but there was a reason that no one
needed to look at it for 8 years or so.
Jeremy Allison,
Samba Team.
Re:Don't worry guys! (Score:4, Funny)
actually read this closely. See, there's
this dude named Jeremy Allison, one of the
nice people who writes code for Samba.
I've used Samba for years - I've used
to replace or prevent about 20 Microsft
Windows Instalations over the last few years.
But by mimicking Jeremy's layout style
and putting his
this post - I just might get some undeserved
Karma.
Let's see if it works.
Jeremy Allison,
Samba Team.
Re:Don't worry guys! (Score:2)
some
Jeremy.
Re:Don't worry guys! (Score:2)
Read the article. (Score:4, Informative)
Nah this is slashdot. Why be accurate?
Read the article. It was discovered because there was an exploit in the wild and somebody USED it while the security auditors were WATCHING. Then they reverse-engineered the exploit from the captured packets.
Meta-moderators, someone needs to be slapped (Score:2)
The parent message is informative, and in no way abusive, and it corrects a mistake. However, for some reason, someone has moderated it as "Flamebait". Why?
Re:Mac OS X? (Score:4, Informative)
their codebase this morning and mailed it to them.
Jeremy Allison,
Samba Team.
Re:Mac OS X? (Score:2)
Re:Mac OS X? (Score:2)
On behalf of Mac OS X users everywhere, thank you very much, Mr. Allison.
Re:Mac OS X? (Score:2)
Re:Code auditing (Score:4, Insightful)
looked at the code is because it worked as written
with the most common clients (Microsoft ones).
We, the Linux vendors and just about everyone else
who uses Samba audits the code regularly, but this
one got missed by everyone but the bad guys. Sometimes
that happens. Life just *sucks* sometimes.
Everytime we get a problem we always go through and
look for instances of this class of problem (that's
how I spent my weekend) but I'm afraid no code is
perfect.
Jeremy Allison,
Samba Team.
Re:Code auditing (Score:2)
Ah yes.. the sign of another person who has never worked with me.
Why design software with error handling I ask? Why not just write your code to not have errors? Much simpler if you ask me. Only pussies catch exceptions and deal with them. Real Programmers never throw an exception, therefore we are the exception.
Then agian, maybe it's shit like that that gets me weird looks in design meetings.
Features are also important (Score:2, Interesting)
Some of the recent features (BDC support via LDAP, good domain membership via winbind) are the only things that allow people to run a more secure SMB server than Windows. Without those features, we would have to cave in and run something that has them. If samba did not have domain
Re:Code auditing (Score:4, Insightful)
Open source provides the opportunity for many eyes to audit the code. It does not guarantee that it will happen.
On the bright side, if Samba weren't open source, we might never have found this problem at all, and the fix would not have come so soon after the flaw was discovered.
Not being connected to the Internet isn't security (Score:2, Informative)
You're really missing the point. Many universities (like the one I attend) use Samba to provide network file serving to the campus, and those servers definitely aren't connected directly to the internet. The NetBios ports are blocked at the firewall anyway, to protect students on campus with blank Administrator passwords.
The problem is that there are 20,000 different people w
There's a difference (Score:2, Funny)
Well, there is actually a difference.
It might have taken eight years for someone to notice the bug and release a security advisory. However, once that was done, it only took the developers a week to release a patch.
Had it been in a Microsoft product, it would have taken a week to get a security advisory, and eight years to get the patch.
Re:Evil ideas about exploits (Score:2)
Upgrades should be cryptographically signed; this should prevent anyone releasing bogus packages. All releases from the Samba team are signed with GPG.
Of course this does introduce another potential problem: if somebody steals the signing key they they can forge releases, at least until the revocation is published. But that key is kept fairly secure, and such an attack has (as far as I know) not happened yet to any open source project.