• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Samba Remote Arbitrary File Creation Vulnerability

Severity: HIGH

Description:

Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms.

A problem has been discovered that can allow remote file creation. This problem can lead to denial of service attacks against the server, and may also lead to an elevation of privileges by a user with local access.

The problem is due to the insufficient validation of NetBIOS hostnames by the Samba daemon. When a request is made to the Samba server, a NetBIOS hostname is passed through the daemon to request a specific share.

This input is not checked sufficiently, and can allow the passing of meta-characters and strings to the logging facilities of Samba, which are normally kept in /var/log/samba. The Samba configuration file by default allows the supplied strings to pass as directory specifications.

Because of this, it's possible to pass strings to the daemon which will allow the writing of files outside the /var/log/samba directory, and to anywhere on the filesystem to which samba user has write access. In the event that Samba is run as root, this makes it possible for a remote user to overwrite sensitive system files, creating a potential denial of service situation.

Affected Products:

• Caldera OpenLinux 2.3.0
• Conectiva Linux 4.0.0
• Conectiva Linux 4.0.0 es
• Conectiva Linux 4.1.0
• Conectiva Linux 4.2.0
• Conectiva Linux 5.0.0
• Conectiva Linux 5.1.0
• Conectiva Linux 6.0.0
• Conectiva Linux ecommerce
• Conectiva Linux graficas
• Debian Linux 2.2.0
• Debian Linux 2.2.0 68k
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• Debian Linux 2.3.0
• Debian Linux 2.3.0 alpha
• Debian Linux 2.3.0 powerpc
• Debian Linux 2.3.0 sparc
• HP CIFS/9000 Server 0.0.0A.01.05
• HP CIFS/9000 Server 0.0.0A.01.06
• MandrakeSoft Linux Mandrake 7.0.0
• MandrakeSoft Linux Mandrake 7.1.0
• Progeny Debian 1.0.0
• RedHat Linux 6.2.0
• RedHat Linux 6.2.0 E alpha
• RedHat Linux 6.2.0 E i386
• RedHat Linux 6.2.0 E sparc
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 6.2.0 sparcv9
• RedHat Linux 7.0.0
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.0.0 i686
• RedHat Linux 7.1.0
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.1.0 i586
• RedHat Linux 7.1.0 i686
• SCO eDesktop 2.4.0
• SCO eServer 2.3.1
• Samba Samba 2.0.5
• Samba Samba 2.0.6
• Samba Samba 2.0.7
• Samba Samba 2.0.8
• Samba Samba 2.0.9
• Samba Samba 2.2.0.0
• Sun Cobalt Qube3 4000WG
• Sun Cobalt RaQ 550 4100R 0.0.0
• Sun Cobalt RaQ XTR 3500R
• Sun Cobalt RaQ4 3001R
• Trustix Secure Linux 1.1.0
• Trustix Secure Linux 1.2.0
• WireX Immunix OS 6.2.0
• WireX Immunix OS 7.0.0
• WireX Immunix OS 7.0.0 -Beta

References:

• Samba: Macro Exploit

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.