[1827] in SIPB_Linux_Development
Urgent security hole regarding linux and Samba
daemon@ATHENA.MIT.EDU (Kevin 'Bob' Fu)
Mon Sep 29 23:40:21 1997
To: linux-announce@MIT.EDU
Cc: linux-dev@MIT.EDU, rcc@MIT.EDU, athena-all@MIT.EDU, hd@MIT.EDU,
network-security@MIT.EDU, efoo@MIT.EDU, mhpower@MIT.EDU
Date: Mon, 29 Sep 1997 23:38:42 EDT
From: "Kevin 'Bob' Fu" <fubob@MIT.EDU>
Important security bugfix for Linux Machines
*Samba*
-------------------------
A security hole in all versions of Samba has been recently discovered.
As a result, several Resnet linux boxes were compromised this weekend.
This security hole allows unauthorized remote users to obtain root
access on the Samba server. The intruder typically implicates you by
springboarding off your machine to attack other machines.
*** Aka, you *really* want to fix your machine. ***
*How to prevent the attack:
If you run Redhat linux, you probably run Samba ("ps aux | grep smbd"
to check). Until the RPM is updated in the next few weeks, I suggest
doing this as root:
rpm -e samba
rm /etc/rc.d/rc?.d/S??smb*
This will turn off the automatic running of Samba daemons. After you
reboot the linux box, Samba daemons should no longer automatically
start. "ps aux" to make sure "smbd" and "nmbd" are no longer running.
Also to prevent the disclosure of your passwords, always use encrypted
telnet. See /afs/sipb/project/doc/current/iLinux.dvi for more
information.
*How to test if you are probably compromised:
Do you see unusual logins or strange programs running the the
background? (eg, packet sniffers, irc). Do you see lots of strange
entries in /root/.bash_history ? Then you've probably been
compromised. However, lack of these symptoms does not imply that you
are secure. Always check your log files for suspicious activity.
*How to fix after a compromise
There's no ideal method. We suggest reformatting your linux drive to
get rid of any infected files. You never know what a malicious hacker
could have installed. Programs may run in a stealth mode--not even
appearing in "ps aux"! To more easily detect tainted files in the
future, try using "tripwire".
-Good luck,
Your friendly SIPB linux-dev volunteers
The alert:
[5309] daemon@ATHENA.MIT.EDU (Andrew Tridgell) bugtraq 09/26/97 12:01 (38 lines)
Subject: Security bugfix for Samba
Date: Sat, 27 Sep 1997 00:07:19 +1000
Reply-To: Andrew.Tridgell@anu.edu.au
From: Andrew Tridgell <tridge@SAMBA.ANU.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
Security bugfix for Samba
-------------------------
A security hole in all versions of Samba has been recently
discovered. The security hole allows unauthorized remote users to
obtain root access on the Samba server.
An exploit for this security hole has been posted to the internet so
system administrators should assume that this hole is being actively
exploited.
The exploit for the security hole is very architecture specific and
has been only demonstrated to work for Samba servers running on Intel
based platforms. The exploit posted to the internet is specific to
Intel Linux servers. It would be very difficult to produce an exploit
for other architectures but it may be possible.
A new release of Samba has now been made that fixes the security
hole. The new release is version 1.9.17p2 and is available from
ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz
This release also adds a routine which logs a message if anyone
attempts to take advantage of the security hole. The message (in the
Samba log files) will look like this:
ERROR: Invalid password length 999
you're machine may be under attack by a user exploiting an old bug
Attack was from IP=aaa.bbb.ccc.ddd
where aaa.bbb.ccc.ddd is the IP address of the machine performing the attack.
The Samba Team
samba-bugs@samba.anu.edu.au
--[5309]--
--------
Kevin E. Fu aka Bob the BobOp Athena OLC/RCC
PGP key: finger fubob@snafu.mit.edu SIPB Member
