__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Samba Package /tmp Race Condition [Red Hat Security Advisory RHSA-2001:044-08] May 18, 2001 20:00 GMT Number L-084 ______________________________________________________________________________ PROBLEM: A race condition in smb client and the smbd printing code could allow local users to overwrite any file on the system. PLATFORM: Red Hat Linux 5.2 - alpha, i386, sparc Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - i386 DAMAGE: A malicious local user could create a symbolic link in /tmp and overwrite any file on the system. SOLUTION: Apply the updated Samba packages described below. ______________________________________________________________________________ VULNERABILITY The risk is LOW to MEDIUM, an attacker must already have local ASSESSMENT: access to the system. ______________________________________________________________________________ [****** Start Red Hat Advisory ******] Red Hat, Inc. Red Hat Security Advisory Synopsis: New samba packages available to fix /tmp races Advisory ID: RHSA-2001:044-08 Issue date: 2001-04-05 Updated on: 2001-05-14 Product: Red Hat Linux Keywords: samba /tmp overwrite Cross references: Obsoletes: --------------------------------------------------------------------- 1. Topic: New samba packages are available; these packages fix /tmp races in smbclient and the printing code. By exploiting these vulnerabilities, local users could overwrite any file in the system. It is recommended that all samba users upgrade to the fixed packages. Please note that the packages for Red Hat Linux 6.2 require an updated logrotate package. Note: these packages include the security patch from Samba-2.0.9. 2. Relevant releases/architectures: Red Hat Linux 5.2 - alpha, i386, sparc Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - i386 3. Problem description: The printing code in smbd uses predictable filenames in /tmp, and passes them as an output file to system(); a user could create a symbolic link in /tmp and then overwrite any file on the system; later on chmod(0666) is called on the file, leading to even more problems. The smbclient 'more' and 'mput' commands also used /tmp files insecurely; this is less of a risk in that these are not normally run as root. Thanks go to Marcus Meissner (mm@caldera.de) for investigating the issue and to the Samba team for providing a patch. 4. Solution: To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directly *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Again, note that the packages for Red Hat Linux 6.2 requre an updated logrotate package. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 33509 - Samba uses mktemp 33915 - Samba + Quota allows user to pass hard limit; but with gibberish data not correct files 31632 - Quota do not work on SAMBA Server. 36424 - security hole allows a user with a shell account to corrupt local devices 28919 - samba logrotate bug fills the partition limit 6. RPMs required: Red Hat Linux 5.2: SRPMS: ftp://updates.redhat.com/5.2/en/os/SRPMS/samba-2.0.5a-2.5.2.src.rpm alpha: ftp://updates.redhat.com/5.2/en/os/alpha/samba-2.0.5a-2.5.2.alpha.rpm ftp://updates.redhat.com/5.2/en/os/alpha/samba-client-2.0.5a-2.5.2.alpha.rpm i386: ftp://updates.redhat.com/5.2/en/os/i386/samba-2.0.5a-2.5.2.i386.rpm ftp://updates.redhat.com/5.2/en/os/i386/samba-client-2.0.5a-2.5.2.i386.rpm sparc: ftp://updates.redhat.com/5.2/en/os/sparc/samba-2.0.5a-2.5.2.sparc.rpm ftp://updates.redhat.com/5.2/en/os/sparc/samba-client-2.0.5a-2.5.2.sparc.rpm Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/samba-2.0.8-1.6.src.rpm ftp://updates.redhat.com/6.2/en/os/SRPMS/logrotate-3.5.2-0.6.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/samba-2.0.8-1.6.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/samba-client-2.0.8-1.6.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/samba-common-2.0.8-1.6.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/logrotate-3.5.2-0.6.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/samba-2.0.8-1.6.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/samba-client-2.0.8-1.6.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/samba-common-2.0.8-1.6.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/logrotate-3.5.2-0.6.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/samba-2.0.8-1.6.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/samba-client-2.0.8-1.6.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/samba-common-2.0.8-1.6.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/logrotate-3.5.2-0.6.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/samba-2.0.8-1.7.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/samba-2.0.8-1.7.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/samba-client-2.0.8-1.7.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/samba-common-2.0.8-1.7.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/samba-2.0.8-1.7.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/samba-client-2.0.8-1.7.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/samba-common-2.0.8-1.7.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/samba-2.0.8-1.7.1.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/samba-2.0.8-1.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/samba-client-2.0.8-1.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/samba-common-2.0.8-1.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/samba-swat-2.0.8-1.7.1.i386.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- c13389ba4bf3318b49e19b6469b2e0fe 5.2/en/os/SRPMS/samba-2.0.5a-2.5.2.src.rpm 3f0a195dbf5a363459926806185e80ba 5.2/en/os/alpha/samba-2.0.5a-2.5.2.alpha.rpm 58aa6febd254fc1e0784fbf6cfcfff02 5.2/en/os/alpha/samba-client-2.0.5a-2.5.2.alpha.rpm 9a12a093f101c98a1532e37299c484ce 5.2/en/os/i386/samba-2.0.5a-2.5.2.i386.rpm 5fda5f6989dea440ccdaf08446412ba9 5.2/en/os/i386/samba-client-2.0.5a-2.5.2.i386.rpm 854c4cb488ab388141b99d477faf3e86 5.2/en/os/sparc/samba-2.0.5a-2.5.2.sparc.rpm 9352f1fda00801b00e63a899770ff8de 5.2/en/os/sparc/samba-client-2.0.5a-2.5.2.sparc.rpm 335f2123c5ce3606db471183dfcdebad 6.2/en/os/SRPMS/logrotate-3.5.2-0.6.src.rpm e4e697ad704a84c2ea4606be6ed19f5f 6.2/en/os/SRPMS/samba-2.0.8-1.6.src.rpm f0f9129497c91d12da04cd6219267aa3 6.2/en/os/alpha/logrotate-3.5.2-0.6.alpha.rpm 9622500299782f17bda3657f85a9ad05 6.2/en/os/alpha/samba-2.0.8-1.6.alpha.rpm c612a2092a1b03295b7d9d9c25af583d 6.2/en/os/alpha/samba-client-2.0.8-1.6.alpha.rpm 7fdd3bdafd9833e33167b33d19d3058f 6.2/en/os/alpha/samba-common-2.0.8-1.6.alpha.rpm 33f4ce1b7967405f33f4ad1cb73fae35 6.2/en/os/i386/logrotate-3.5.2-0.6.i386.rpm edcecaa0c060f2371225d14ba5f6d908 6.2/en/os/i386/samba-2.0.8-1.6.i386.rpm 21acd09eb2072ec859a622f91d2aaca2 6.2/en/os/i386/samba-client-2.0.8-1.6.i386.rpm 917694eaf3f0d1f640e7ac9ec9acb329 6.2/en/os/i386/samba-common-2.0.8-1.6.i386.rpm 3f14ee70fdb73ba09ef49e4c4f3c6a7f 6.2/en/os/sparc/logrotate-3.5.2-0.6.sparc.rpm 7dd43e058143351a4605df173ede02a3 6.2/en/os/sparc/samba-2.0.8-1.6.sparc.rpm 478fbb5206d9a32208a63202bb5237c5 6.2/en/os/sparc/samba-client-2.0.8-1.6.sparc.rpm 9024c3b3e1a8ce90e9545979b5fd97f2 6.2/en/os/sparc/samba-common-2.0.8-1.6.sparc.rpm 79e6f09ba81d43ee261a278ffd28e60a 7.0/en/os/SRPMS/samba-2.0.8-1.7.src.rpm cbfae3f2420cfae17b005211a8fdf692 7.0/en/os/alpha/samba-2.0.8-1.7.alpha.rpm f09d86bd2a942bfea3a89b00960584e3 7.0/en/os/alpha/samba-client-2.0.8-1.7.alpha.rpm a201143cad04e8cf7c199b247bcab800 7.0/en/os/alpha/samba-common-2.0.8-1.7.alpha.rpm a8ab5a701ae81d123b45e564e6a780d4 7.0/en/os/i386/samba-2.0.8-1.7.i386.rpm e7cd3ef7cad58e3be9ae72aa7e7a2b33 7.0/en/os/i386/samba-client-2.0.8-1.7.i386.rpm 2ea653688e214f9b0ca6619967f77076 7.0/en/os/i386/samba-common-2.0.8-1.7.i386.rpm 54613f26efbbfe5c2664bee923e63ce4 7.1/en/os/SRPMS/samba-2.0.8-1.7.1.src.rpm 282c70feb595b651804678407b7d7b08 7.1/en/os/i386/samba-2.0.8-1.7.1.i386.rpm 6e529dfb18f06b18360c755018864f8f 7.1/en/os/i386/samba-client-2.0.8-1.7.1.i386.rpm e5f9759330d4ac09ea02ddead9c461e1 7.1/en/os/i386/samba-common-2.0.8-1.7.1.i386.rpm 6033af45917b0cbe447187ea56aeaefa 7.1/en/os/i386/samba-swat-2.0.8-1.7.1.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: Copyright(c) 2000, 2001 Red Hat, Inc. [****** End Red Hat Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-074: Microsoft WebDAV Runs Scripts As User L-075: FreeBSD IPFilter May Incorrectly Pass Packets L-076: Red Hat Ptrace and Exec Race Conditions L-077: The Glacier Backdoor L-078: Microsoft Unchecked Buffer in ISAPI Extension L-079: Microsoft Domain Controller Core Memory Leak Vulnerability L-080: SGI IRIX rpc.espd Buffer Overflow L-081: Microsoft Index Server Search Function Buffer Overflow L-082: Cisco IOS BGP Attribute Corruption Vulnerability L-083: Microsoft CGI Filename Decode Error Vulnerability in IIS