J-Security Center

Title: Linux Kernel Samba Share Local Privilege Elevation Vulnerability

Severity: HIGH

Description:

A local privilege escalation vulnerability has been reported to affect the 2.6 Linux kernel.

The issue appears to exist due to a lack of sufficient sanity checks performed when executing a file that is hosted on a remote Samba share. This issue has been reported to occur when a setuid or setgid file is made available as a shared network resource through the samba service. An attacker, who has local interactive access to an affected host, may mount the remote share and execute the remote setuid/setgid application. This will reportedly result in elevated privileges, as the setuid/setgid bit of the remote file is honored on the local system. The problem exist because smb file system is not mounted using mount and ignores the setuid/setgid permissions from smbmnt.

It should be noted that although this vulnerability has been reported to affect 2.6 versions of the Linux kernel, other versions might also be affected.

Conflicting reports suggest that this is expected behavior that results from the smbmnt utility being setuid root.

It has been reported that the attacker does not have to mount the file system as a local user. The vulnerability still exists if root mounts the file system and the attacker can execute a setuid binary on the server. Unix extensions have to be enabled on both the client and the server for this issue to occur.

Affected Products:

  • Conectiva Linux 8.0.0
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Gentoo Linux 1.4.0
  • Gentoo Linux 1.4.0 _rc1
  • Gentoo Linux 1.4.0 _rc2
  • Gentoo Linux 1.4.0 _rc3
  • Linux kernel 2.6.0
  • Linux kernel 2.6.0 -test1
  • Linux kernel 2.6.0 -test10
  • Linux kernel 2.6.0 -test11
  • Linux kernel 2.6.0 -test2
  • Linux kernel 2.6.0 -test3
  • Linux kernel 2.6.0 -test4
  • Linux kernel 2.6.0 -test5
  • Linux kernel 2.6.0 -test6
  • Linux kernel 2.6.0 -test7
  • Linux kernel 2.6.0 -test8
  • Linux kernel 2.6.0 -test9
  • Linux kernel 2.6.0 -test9-CVS
  • Linux kernel 2.6.1 -rc1
  • Linux kernel 2.6.1 -rc2
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Linux Mandrake 9.2.0
  • MandrakeSoft Linux Mandrake 9.2.0 amd64
  • MandrakeSoft Multi Network Firewall 2.0.0
  • OpenPKG OpenPKG 1.1.0
  • OpenPKG OpenPKG 1.2.0
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 7.3.0 i686
  • RedHat Linux 9.0.0 i386
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.0.0 i386
  • S.u.S.E. Linux 8.1.0
  • S.u.S.E. Linux Personal 8.2.0
  • S.u.S.E. Linux Personal 9.0.0
  • S.u.S.E. Linux Personal 9.0.0 x86_64
  • S.u.S.E. Linux Personal 9.1.0
  • Samba Samba 2.2.3 a
  • Samba Samba 2.2.3 a
  • Samba Samba 2.2.7 a
  • Samba Samba 2.2.8 a
  • Slackware Linux 8.1.0
  • Turbolinux Appliance Server Hosting Edition 1.0.0
  • Turbolinux Appliance Server Workgroup Edition 1.0.0
  • Turbolinux Home
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Workstation 7.0.0
  • Turbolinux Turbolinux Workstation 8.0.0

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.