From create@SECUREREALITY.COM.AU Sun Sep 10 23:50:53 2000 From: Secure Reality Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 11 Sep 2000 00:13:32 +1000 Subject: [BUGTRAQ] (SRADV00002) Remote root compromise through pam_smb and pam_ntdom [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ================================================= Secure Reality Pty Ltd. Security Advisory #1 (SRADV00002) http://www.securereality.com.au ================================================= [Title] Remote root compromise through pam_smb and pam_ntdom [Released] 11/09/2000 [Vulnerable] pam_smb - stable versions < 1.1.6, development versions unclear pam_ntdom - versions < 0.24 [Overview] pam_smb and pam_ntdom are pluggable authentication modules that allow authentication of usernames and passwords in PAM compatible environments (most notably Solaris and Linux) against Windows and Samba. Both modules (ONLY in versions as listed above) contain remotely exploitable stack buffer overflows. This bug allows an attacker to execute arbitrary code as root. [Impact] Remote root compromise [Detail] pam_smb and pam_ntdom are used in heterogenous environments to provide common authentication across unix and windows boxes. Both modules are distributed from their own home pages and the samba ftp site and mirrors. It is reasonable to assume both modules are fairly widespread. The bug itself is fairly trivial. pam_smb performs a strcpy of a user controlled variable (the login name) into a stack variable of only 16 bytes. pam_ntdom is based on the code from pam_smb and thus inherits this problem (in versions specified). [Fix] Please upgrade to the latest version of all modules: pam_smb stable 1.1.6 at ftp://ftp.samba.org/pub/samba/pam_smb/ pam_smb development 1.9.8 at ftp://ftp.samba.org/pub/samba/pam_smb/devel/ pam_ntdom 0.24 at http://cb1.com/~lkcl/pam-ntdom/ (As the pam_smb module was only updated recently, some samba mirrors may not have the latest versions at this stage. Please note the version of pam_ntdom on samba mirrors (0.23) IS vulnerable, download the latest version from the URL listed above) [Credits] Our thanks to Dave Airlie, author of pam_smb, for his assistance in quickly fixing this problem and cutting new versions of pam_smb. [Disclaimer] Advice, directions and instructions on security vulnerabilities in this advisory do not constitute: an endorsement of illegal behaviour; a guarantee that protection measures will work; an endorsement of any product or solution or recommendations on behalf of Secure Reality Pty Ltd. Content is provided as is and Secure Reality does not accept responsibity for any damange or injury caused as a result of its use.