Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: (SRADV00002) Remote root compromise through pam_smb and pam_ntdom
From: Secure Reality Advisories (createSECUREREALITY.COM.AU)
Date: Sun Sep 10 2000 - 09:13:32 CDT
- Next message: Paul Starzetz: "Breaking screen on BSD"
- Previous message: pestilence: "YaBB 1.9.2000 Vulnerabilitie"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Secure Reality Pty Ltd. Security Advisory #1 (SRADV00002)
Remote root compromise through pam_smb and pam_ntdom
pam_smb - stable versions < 1.1.6, development versions unclear
pam_ntdom - versions < 0.24
pam_smb and pam_ntdom are pluggable authentication modules that allow
authentication of usernames and passwords in PAM compatible environments
(most notably Solaris and Linux) against Windows and Samba.
Both modules (ONLY in versions as listed above) contain remotely exploitable
stack buffer overflows. This bug allows an attacker to execute arbitrary
code as root.
Remote root compromise
pam_smb and pam_ntdom are used in heterogenous environments to provide
common authentication across unix and windows boxes. Both modules are
distributed from their own home pages and the samba ftp site and mirrors. It
is reasonable to assume both modules are fairly widespread.
The bug itself is fairly trivial. pam_smb performs a strcpy of a
user controlled variable (the login name) into a stack variable of only 16
bytes. pam_ntdom is based on the code from pam_smb and thus inherits this
problem (in versions specified).
Please upgrade to the latest version of all modules:
pam_smb stable 1.1.6 at ftp://ftp.samba.org/pub/samba/pam_smb/
pam_smb development 1.9.8 at ftp://ftp.samba.org/pub/samba/pam_smb/devel/
pam_ntdom 0.24 at http://cb1.com/~lkcl/pam-ntdom/
(As the pam_smb module was only updated recently, some samba mirrors may
not have the latest versions at this stage. Please note the version of
pam_ntdom on samba mirrors (0.23) IS vulnerable, download the latest version
from the URL listed above)
Our thanks to Dave Airlie, author of pam_smb, for his assistance in quickly
fixing this problem and cutting new versions of pam_smb.
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behaviour; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality does not accept responsibity for any
damange or injury caused as a result of its use.