J-Security Center

Title: Samba Insecure TMP file Symbolic Link Vulnerability

Severity: HIGH

Description:

Samba is a flexible file sharing packaged maintained by the Samba development group. It provides interoperatability between UNIX and Microsoft Windows systems, permitting the sharing of files and printing services.

A vulnerability in the Samba software package makes it possible for users with local access to deny service to other users, and potentially gain elevated privileges. The problem is due to insecure temporary file creation.

The problem occurs in the way smbrun() handles output from a child process. Upon executing, one of the parameters supplied to smbrun() is a temporary file name. This temporary file name is used by the child process, which when forked, writes all of it's activity to the temporary file. By supplying a NULL value for the file name, it's possible to direct all of this output to /dev/null.

However, by using a symbolic link, and linking the contents of this file to a device file, it is possible to make the contents of the temporary file print to a device file such as /dev/mem, resulting in a denial of service attack, or /dev/hda, resulting in serious damage to the file system.

Affected Products:

  • Caldera OpenLinux 2.3.0
  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux ecommerce
  • Conectiva Linux graficas
  • Debian Linux 2.1.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 2.3.0
  • Debian Linux 2.3.0 alpha
  • Debian Linux 2.3.0 powerpc
  • Debian Linux 2.3.0 sparc
  • HP CIFS/9000 Server 0.0.0A.01.06
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • Progeny Debian 1.0.0
  • RedHat Linux 4.2.0
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 6.0.0
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 E alpha
  • RedHat Linux 6.2.0 E i386
  • RedHat Linux 6.2.0 E sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 6.2.0 sparcv9
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.0.0 i686
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 i586
  • RedHat Linux 7.1.0 i686
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.1
  • Samba Samba 2.0.4
  • Samba Samba 2.0.5
  • Samba Samba 2.0.6
  • Samba Samba 2.0.7
  • Samba Samba 2.0.8
  • Sun Cobalt Qube3 4000WG
  • Sun Cobalt RaQ 550 4100R 0.0.0
  • Sun Cobalt RaQ XTR 3500R
  • Sun Cobalt RaQ4 3001R
  • Trustix Secure Linux 1.1.0
  • Trustix Secure Linux 1.2.0
  • WireX Immunix OS 6.2.0
  • WireX Immunix OS 7.0.0
  • WireX Immunix OS 7.0.0 -Beta

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.