Bug 61352 (CVE-2004-0815)

Summary: VUL-0: CVE-2004-0815: Samba access to files outside of a defined share
Product: [Novell Products] SUSE Security Incidents Reporter: Lars Müller <lmuelle>
Component: IncidentsAssignee: Lars Müller <lmuelle>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0815: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: samba-CAN-2004-0815.patch
samba.slec
samba.slec
samba.slec
samba.8.1
samba.8.2
samba.9.0

Description Lars Müller 2004-09-29 00:40:40 UTC 
From: "Gerald (Jerry) Carter" <jerry@samba.org>
Subject: [Samba-pkg-sec] [Fwd: Samba 2.2.x & 3.0.x <= 3.0.5 -- Arbitrary
        File Access Vulnerability]
To: samba-pkg-sec@samba.org
Cc:
Date: Tue, 28 Sep 2004 06:35:20 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------- Original Message --------
Subject: Samba 2.2.x & 3.0.x <= 3.0.5 -- Arbitrary File Access Vulnerability
Date: Fri, 24 Sep 2004 22:57:03 -0500
From: Gerald (Jerry) Carter <jerry@samba.org>


Subject:        Arbitrary File Access

Affected
Versions:       Samba 2.2.x and Samba 3.0.x <= 3.0.5

Summary:        A remote attacker may be able to gain access
                to files which exist outside of the share's
                defined path. Such files must still be readable
                by the account used for the connection.

Description
- -----------

A bug in the input validation routines used to convert DOS
path names to path names on the Samba host's file system
may be exploited to gain access to files outside of the
share's path defined by smb.conf.


Release Plans
- -------------

The Samba Team will be releasing Samba 2.2.12 to address
this bug in the 2.2.x series.  Since this issue has already
been fixed in Samba 3.0.6 and later, we will only be releasing
a patch (the one attached to this email) for earlier
3.0.x versions.  The public announcement is planned for 16:00
CEST (GMT+2) on Thursday, September 30.


Protecting Unpatched Servers
- ----------------------------

Samba file shares with 'wide links = no' (a non-default
setting) in the service definition in smb.conf are *not*
vulnerable to this attack.

The Samba Team always encourages users to run the latest stable
release as a defense of against attacks.  However, under certain
circumstances it may not be possible to immediately upgrade
important installations.  In such cases, administrators should
read the "Server Security" documentation found at
http://www.samba.org/samba/docs/server_security.html.


Credits
- --------

Both security issues were reported to Samba developers by
iDEFENSE (http://www.idefense.com/).  Karol Wiesek is
credited with this discovery.



- --
Our Code, Our Bugs, Our Responsibility.


                                -- The Samba Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBWUx3IR7qMdg1EfYRAv0LAKDLGIIx8DGzjAb/37K5EoPeHtMWCQCfamV0
Kb15jut6RucTfnKdhOCUxyo=
=yzfE
-----END PGP SIGNATURE-----
Comment 1 Lars Müller 2004-09-29 00:40:40 UTC 
<!-- SBZ_reproduce  -->
The patch is attached and follows later.  This is just for the record.
Comment 2 Marcus Meissner 2004-09-30 17:44:30 UTC 
Lars, I guess this is the one that goes public tomorrow, isnt it? 
 
Do we have a patch and updated RPMs?
Comment 3 Marcus Meissner 2004-09-30 20:31:52 UTC 
lars on vacation this week.
Comment 4 Marcus Meissner 2004-09-30 23:08:15 UTC 
Created attachment 24313 [details]
samba-CAN-2004-0815.patch

using this patch for 2.2.* packages
Comment 5 Marcus Meissner 2004-09-30 23:54:04 UTC 
the samba 3 patch on the webpage does not apply to our 3.0.4 in 9.1 / SLES 
9 ... the code looks different.
Comment 6 Marcus Meissner 2004-10-01 00:20:42 UTC 
samba 2 packages submitted 
samba2 patchinfos submitted 
laufzettel submitted
Comment 7 Marcus Meissner 2004-10-02 01:00:40 UTC 
to reproduce: 
 
smbclient -U root //remote/somepublicshare 
cp /./////etc/passwd /tmp/passwd 
 
will copy /etc/passwd to /tmp/passwd. copying back will most likely work too.
Comment 8 Marcus Meissner 2004-10-04 17:37:45 UTC 
Created attachment 24479 [details]
samba.slec
Comment 9 Marcus Meissner 2004-10-04 17:37:50 UTC 
Created attachment 24480 [details]
samba.slec
Comment 10 Marcus Meissner 2004-10-04 17:37:51 UTC 
Created attachment 24481 [details]
samba.slec
Comment 11 Marcus Meissner 2004-10-04 17:38:01 UTC 
Created attachment 24482 [details]
samba.8.1
Comment 12 Marcus Meissner 2004-10-04 17:38:08 UTC 
Created attachment 24483 [details]
samba.8.2
Comment 13 Marcus Meissner 2004-10-04 17:38:17 UTC 
Created attachment 24484 [details]
samba.9.0
Comment 14 Marcus Meissner 2004-10-06 05:59:55 UTC 
From: "Gerald (Jerry) Carter" <jerry@samba.org>                                               
To: vendor-sec@lst.de                                                                         
Cc: vendor-disclosure <vendor-disclosure@idefense.com>, security@samba.org                    
Subject: [vendor-sec] ERRATA: Potential Arbitrary File Access (CAN-2004-0815)                 
                                                                                              
-----BEGIN PGP SIGNED MESSAGE-----                                                            
Hash: SHA1                                                                                    
                                                                                              
ERRATA                                                                                        
- ------                                                                                      
                                                                                              
The original announcement for the Samba vulnerability identified                              
by CAN-2004-0815 reported that Samba versions 3.0.0 - 3.0.5                                   
inclusive were subject the remote file access bug.  Later research                            
has confirmed that *only* Samba 3.0.x <= 3.0.2a contains the                                  
exploitable code.                                                                             
                                                                                              
The Samba Team expresses sincere apologies for any confusion                                  
this inaccuracy in the original announcement has caused.
Comment 15 Marcus Meissner 2004-10-06 06:00:51 UTC 
since 9.1 and sles9 ship 3.0.4, our samba 3 versions are not affected. 
 
Security Advisory has been released today, patches on last friday -> done.
Comment 16 Thomas Biege 2009-10-13 19:52:06 UTC 
CVE-2004-0815: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)