xorl %eax, %eax

CVE-2009-0022: Root Filesystem Security Bypass

leave a comment »

First of all, this is not a critical vulnerability since it does not affect default installations of the SAMBA server. This design bug was reported by Gunter Höckel and disclosed on 18 December 2008. The final patch was committed by Karolin Seeger of the SAMBA project. This issue affects versions from 3.2.0 to 3.2.6 which have the “registry shares” option set. SAMBA registry shares is an new feature (introduced on 3.2.0 release) which can be used to utilize a configuration stored in a registry. To enable this feature the following options must be set like this:

registry shares = yes
include = registry
config backend = registry

A quick look to source/smbd/service.c reveals the vulnerability. The next code snippets are part of the 3.2.6 release of the SAMBA project. Here is the vulnerable function:

222  static int load_registry_service(const char *servicename)
223  {
224          struct registry_key *key;
225          char *path;
226          WERROR err;

As it is implied by its name, this routine is being used to load a registry service using the given service name. If you don’t have the above registry options then it will just return -1 right here:

234          if (!lp_registry_shares()) {
235                  return -1;
236          }

The logic used in this function is:

    strequal(servicename, GLOBAL_NAME);
    asprintf(&path, "%s\\%s", KEY_SMBCONF, servicename);
    reg_open_path(NULL, path, REG_KEY_READ, get_root_nt_token(), &key);
    lp_add_service(servicename, -1);

However, if the user controlled servicename argument is NULL, then it will attempt to compare it against GLOBAL_NAME using strequal(), and then, it’ll create the path to send to the authenticated user using asprintf(). This of course will only include the server name (first argument) and thus the root directory! A valid share would be: //my.samba.server.com/my_share/ but in this case a user authenticated to have access only to this share can gain access to the root directory which is: //my.samba.server.com/ simply by providing a NULL service name. This vulnerability was classified as “low impact – not critical” since the attacker must have an unprivileged user account to perform the attack and in addition, SAMBA is not vulnerable on its default setup. The fix is straightforward, just check for NULL requests:

+    if ((servicename == NULL) || (*servicename == '')) {
+        return -1;
+    }
     if (strequal(servicename, GLOBAL_NAME)) {

The exploitation (security bypass) of this bug is extemely trivial using the tools provided by the SAMBA project. As it was shown on the official advisory a simple request such as:

smbclient //server/ -U user%pass

Can give you access to the root filesystem of the ‘server‘ if you have a valid user account for any other share and the server has registry shares enabled.

Written by xorl

January 27, 2009 at 12:53

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s