---------------------------------------------------------------------- ** Report description ** ---------------------------------------------------------------------- [Reference Number] JVN#29529126 [Title] - Cross-site request forgery vulnerability in Samba [Reporter Related Information] - Yoshihiro Ishikawa (LAC Co., Ltd.) [Vulnerability Information] - This vulnerability was found by the reporter - Product Name: Samba Version: 3.5.3 (Source) Patch Level: CentOS 5.3 (Final) Latest Install Package Language: English Settings: Enable Samba Web Administration Tool (SWAT) in Samba This is disabled by default. Web: http://samba.org/samba/ Targeted version: http://samba.org/samba/ftp/stable/samba-3.5.3.tar.gz - Description: Cross-site request forgery - Session management for Samba SWAT performed through basic authentication only. - Reproduction Procedure: Host is 172.28.80.46 1. Target user (root: administrator) accesses SWAT (http://172.28.80.46:901/) smdb/nmbd execution can be verified by transitioning to the STATUS screen 2. Lure the target user accessing SWAT to access a URL that sends requests containing a parameter that stops services (all_stop=) through the web or e-mail. * ※http://172.28.80.46:901/status?refresh_interval=30&all_stop= Also if the paramete is changed to smbd_stop/nmdb_stop/winbindd_stop each respective daemon will be stopped. 3. SWAT in Samba does not properly process the above request. As a result, requests to stop smbd/nmbd/winbind are executed and Samba services are stopped. For settings changes in Samba refer to the attached screenshots. .png files are images during the reproduction, .txt files are the request/response logs. [Possible Impacts] - Samba services may be stopped or settings may be changed in an unauthorized manner. - In other words, any operation that can be performed through the SWAT management screen may be done. [Possible Workarounds] - Disable SWAT [Proof-of-Concept Code] - Refer to the above reproduction [Other Information] - None [Report Validation and Comments from IPA] - IPA verified this report using the below environment: Server ---------------- OS: CentOS 5.4 Target Software The Samba Web Administration Tool(SWAT) * Contained in Samba 3.5.3 IP Address 192.168.26.128 Settings: ・Referring to the below set up the The Samba Web Administration Tool(SWAT) http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html ---------------- Client ---------------- OS: Microsoft Windows XP Professional SP3 Web Browser: Firefox 3.6.3 ---------------- Reproduction Steps 1. Access the below URL from the client web browser, and login to the target software as root: ------------------------------------------------------ http://192.168.26.128:901/ ------------------------------------------------------ 2. Start services from the STATUS screen by pressing the "Start all services" 3. From the STATUS screen, verify that "smbd", "nmbd" and "winbindd" are all running. 4. Access the below URL: ------------------------------------------------------ http://192.168.26.128:901/status?refresh_interval=30&all_stop= ------------------------------------------------------ 5. Verify through the STATUS screen that "smbd", "nmbd" and "winbindd" are all stopped. As a result of the above verification, we have observed a cross-site request forgery vulnerability. Comments: As a result of cross-site request forgery, any operation that can be performed in the target software may be performed in an unauthorized manner. [Comments from JPCERT/CC] - None --------------------------------------------------------------------------------------
Updated assignee, component and summary. Will look into this one as well.
Can confirm, working on a fix. Set as a blocker.
Created attachment 6689 [details] Patchset for master Proposed patches for git master
Created attachment 6690 [details] Patchset for 3.6 Patches for 3.6
Created attachment 6691 [details] Patchset for 3.5 Patches for 3.5
Created attachment 6692 [details] Patchset for 3.4 Patches for 3.4
Created attachment 6693 [details] Patchset for 3.3 Patches for 3.3
Patches for 3.2 and 3.0 still need some work.
Created attachment 6697 [details] Patchset for 3.2 Patches for 3.2
Created attachment 6698 [details] Patchset for 3.0 Patches for 3.0
These fixes look good to me - however I am not a security expert - especially on web-based security. The patches will need to be also reviewed by the security Teams of the Linux distributions. Re-assigning to Karolin so this task can proceed. Jeremy.
Patches have been pushed to v3-3-test, v3-4-test, v3-5-test and v3-6-test. Samba 3.3.16, 3.4.14 and 3.5.10 include these patches, Samba 3.6.0rc3 will also. Re-assigning to Kai to push them to the master branch.
Jeremy pushed them to master already, marking bug as fixed.