[1813] in SIPB_Linux_Development
workaround for Samba bug described by ADM
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Fri Sep 26 05:47:40 1997
From: mhpower@MIT.EDU
To: linux-dev@MIT.EDU
Date: Fri, 26 Sep 1997 05:47:23 EDT
A program was posted to bugtraq today that apparently gives remote
root access to any machine running smbd from the Samba distribution
(most likely including both the latest version 1.9.17p1 and the
versions distributed by RedHat). Since this probably affects some
part of the Linux-Athena community, I've included a patch that
may be usable as a workaround until the problem is fixed. I'm
not suggesting that linux-dev is "responsible" for problems in
random packages such as Samba, but just in case there happen to
be active attacks perhaps having a patch handy couild be useful.
This is relative to the version distributed with RedaHat 4.2
ftp://ftp.redhat.com/pub/redhat/redhat-4.2/SRPMS/samba-1.9.16p11-3rh.src.rpm
Matt
*** password.c.old Sat Feb 22 22:26:41 1997
--- password.c Fri Sep 26 02:04:10 1997
***************
*** 1362,1363 ****
--- 1362,1364 ----
BOOL ret;
+ static char *PinBuffer;
***************
*** 1367,1368 ****
--- 1368,1375 ----
+ PinBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+ if (PinBuffer == NULL) {
+ DEBUG(1,("insufficient memory for contacting password server\n"));
+ return(False);
+ }
+
if (Protocol < PROTOCOL_NT1) {
***************
*** 1425,1428 ****
! if (!receive_smb(password_client,inbuf,5000) ||
! CVAL(inbuf,0) != 0x82) {
DEBUG(1,("%s rejected the session\n",pserver));
--- 1432,1442 ----
! if (!receive_smb(password_client,PinBuffer,5000)) {
! DEBUG(1,("%s rejected the session\n",pserver));
! close(password_client); password_client = -1;
! return(False);
! }
!
! memcpy(inbuf, PinBuffer, sizeof(inbuf));
!
! if (CVAL(inbuf,0) != 0x82) {
DEBUG(1,("%s rejected the session\n",pserver));
***************
*** 1447,1451 ****
send_smb(password_client,outbuf);
! ret = receive_smb(password_client,inbuf,5000);
! if (!ret || CVAL(inbuf,smb_rcls) || SVAL(inbuf,smb_vwv0)) {
DEBUG(1,("%s rejected the protocol\n",pserver));
--- 1461,1473 ----
send_smb(password_client,outbuf);
! ret = receive_smb(password_client,PinBuffer,5000);
!
! if (!ret) {
! DEBUG(1,("%s rejected the protocol\n",pserver));
! close(password_client); password_client= -1;
! return(False);
! }
! memcpy(inbuf, PinBuffer, sizeof(inbuf));
!
! if (CVAL(inbuf,smb_rcls) || SVAL(inbuf,smb_vwv0)) {
DEBUG(1,("%s rejected the protocol\n",pserver));
***************
*** 1475,1476 ****
--- 1497,1499 ----
BOOL ret;
+ static char *PinBuffer;
***************
*** 1481,1482 ****
--- 1504,1511 ----
+ PinBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+ if (PinBuffer == NULL) {
+ DEBUG(1,("insufficient memory for contacting password server\n"));
+ return(False);
+ }
+
bzero(inbuf,sizeof(inbuf));
***************
*** 1494,1498 ****
send_smb(password_client,outbuf);
! ret = receive_smb(password_client,inbuf,5000);
! if (!ret || CVAL(inbuf,smb_rcls) != 0) {
DEBUG(1,("password server %s rejected the password\n",pserver));
--- 1523,1534 ----
send_smb(password_client,outbuf);
! ret = receive_smb(password_client,PinBuffer,5000);
!
! if (!ret) {
! DEBUG(1,("password server %s rejected the password\n",pserver));
! return(False);
! }
!
! memcpy(inbuf, PinBuffer, sizeof(inbuf));
! if (CVAL(inbuf,smb_rcls) != 0) {
DEBUG(1,("password server %s rejected the password\n",pserver));
