8290 – CSRF vulnerability in SWAT; CVE-2011-2522

Bug 8290 - CSRF vulnerability in SWAT; CVE-2011-2522

Summary: CSRF vulnerability in SWAT; CVE-2011-2522

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	SWAT (show other bugs)
Version:	3.6.0rc2
Hardware:	All All

Importance:	P5 regression
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-06 12:43 UTC by Kai Blin
Modified:	2012-03-16 23:55 UTC (History)
CC List:	9 users (show)

See Also:

Flags:	jra: review+

Attachments
Patchset for master (5.85 KB, application/octet-stream) 2011-07-12 18:43 UTC, Kai Blin	no flags	Details
Patchset for 3.6 (5.84 KB, application/octet-stream) 2011-07-12 18:44 UTC, Kai Blin	no flags	Details
Patchset for 3.5 (5.84 KB, application/octet-stream) 2011-07-12 18:44 UTC, Kai Blin	no flags	Details
Patchset for 3.4 (5.83 KB, application/octet-stream) 2011-07-12 18:44 UTC, Kai Blin	no flags	Details
Patchset for 3.3 (5.84 KB, application/octet-stream) 2011-07-12 18:45 UTC, Kai Blin	no flags	Details
Patchset for 3.2 (5.49 KB, application/octet-stream) 2011-07-12 21:59 UTC, Kai Blin	no flags	Details
Patchset for 3.0 (5.55 KB, application/octet-stream) 2011-07-12 22:00 UTC, Kai Blin	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kai Blin 2011-07-06 12:43:16 UTC

Comment 1 takayuki.uchiyama 2011-07-07 01:35:37 UTC

----------------------------------------------------------------------
** Report description **
----------------------------------------------------------------------
[Reference Number]
  JVN#29529126

[Title]
  - Cross-site request forgery vulnerability in Samba

[Reporter Related Information]
  - Yoshihiro Ishikawa (LAC Co., Ltd.)

[Vulnerability Information]
  - This vulnerability was found by the reporter
  - Product Name: Samba
    Version: 3.5.3 (Source)
    Patch Level: CentOS 5.3 (Final) Latest Install Package
    Language: English
    Settings: Enable Samba Web Administration Tool (SWAT) in Samba
              This is disabled by default.
    Web: http://samba.org/samba/
    Targeted version: http://samba.org/samba/ftp/stable/samba-3.5.3.tar.gz

  - Description:
     Cross-site request forgery
       - Session management for Samba SWAT performed through 
         basic authentication only.

  - Reproduction Procedure:
      Host is 172.28.80.46
      1. Target user (root: administrator) accesses SWAT 
         (http://172.28.80.46:901/)
         smdb/nmbd execution can be verified by transitioning
         to the STATUS screen
      
      2. Lure the target user accessing SWAT to access a URL 
         that sends requests containing a parameter that stops 
         services (all_stop=) through the web or e-mail.
         * ※http://172.28.80.46:901/status?refresh_interval=30&all_stop=
      
      Also if the paramete is changed to smbd_stop/nmdb_stop/winbindd_stop
      each respective daemon will be stopped.
      
      3. SWAT in Samba does not properly process the above request.
         As a result, requests to stop smbd/nmbd/winbind are executed
         and Samba services are stopped.
         
      For settings changes in Samba refer to the attached screenshots.
      .png files are images during the reproduction, .txt files are the
      request/response logs.

[Possible Impacts]
  - Samba services may be stopped or settings may be changed in an
    unauthorized manner.
    - In other words, any operation that can be performed through the
      SWAT management screen may be done.

[Possible Workarounds]
  - Disable SWAT

[Proof-of-Concept Code]
  - Refer to the above reproduction

[Other Information]
  - None

[Report Validation and Comments from IPA]
  - IPA verified this report using the below environment:
    
    
       Server
       ----------------
       OS:
         CentOS 5.4
       Target Software
         The Samba Web Administration Tool(SWAT)
         * Contained in Samba 3.5.3
       IP Address
         192.168.26.128
       Settings:
         ・Referring to the below set up the The Samba Web 
           Administration Tool(SWAT)
           http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html
       ----------------
       
       Client
       ----------------
       OS:
         Microsoft Windows XP Professional SP3
       Web Browser:
         Firefox 3.6.3
       ----------------

       Reproduction Steps
       1. Access the below URL from the client web browser, and
          login to the target software as root:
          ------------------------------------------------------
          http://192.168.26.128:901/
          ------------------------------------------------------
       
       2. Start services from the STATUS screen by pressing the
          "Start all services"
       
       3. From the STATUS screen, verify that "smbd", "nmbd" and
          "winbindd" are all running.
       
       4. Access the below URL:
          ------------------------------------------------------
          http://192.168.26.128:901/status?refresh_interval=30&all_stop=
          ------------------------------------------------------
       
       5. Verify through the STATUS screen that "smbd", "nmbd" and
          "winbindd" are all stopped.
       
       As a result of the above verification, we have observed a
       cross-site request forgery vulnerability.
       
       Comments:
       As a result of cross-site request forgery, any operation that
       can be performed in the target software may be performed in an
       unauthorized manner.

[Comments from JPCERT/CC]
  - None
--------------------------------------------------------------------------------------

Comment 2 Kai Blin 2011-07-07 05:54:50 UTC

Updated assignee, component and summary. Will look into this one as well.

Comment 3 Kai Blin 2011-07-08 13:23:53 UTC

Can confirm, working on a fix. Set as a blocker.

Comment 4 Kai Blin 2011-07-12 18:43:30 UTC

Created attachment 6689 [details]
Patchset for master

Proposed patches for git master

Comment 5 Kai Blin 2011-07-12 18:44:00 UTC

Created attachment 6690 [details]
Patchset for 3.6

Patches for 3.6

Comment 6 Kai Blin 2011-07-12 18:44:26 UTC

Created attachment 6691 [details]
Patchset for 3.5

Patches for 3.5

Comment 7 Kai Blin 2011-07-12 18:44:52 UTC

Created attachment 6692 [details]
Patchset for 3.4

Patches for 3.4

Comment 8 Kai Blin 2011-07-12 18:45:19 UTC

Created attachment 6693 [details]
Patchset for 3.3

Patches for 3.3

Comment 9 Kai Blin 2011-07-12 18:45:36 UTC

Patches for 3.2 and 3.0 still need some work.

Comment 10 Kai Blin 2011-07-12 21:59:47 UTC

Created attachment 6697 [details]
Patchset for 3.2

Patches for 3.2

Comment 11 Kai Blin 2011-07-12 22:00:40 UTC

Created attachment 6698 [details]
Patchset for 3.0

Patches for 3.0

Comment 12 Jeremy Allison 2011-07-15 00:21:07 UTC

These fixes look good to me - however I am not a security expert - especially
on web-based security. The patches will need to be also reviewed by the
security Teams of the Linux distributions.

Re-assigning to Karolin so this task can proceed.

Jeremy.

Comment 13 Karolin Seeger 2011-07-26 19:20:40 UTC

Patches have been pushed to v3-3-test, v3-4-test, v3-5-test and v3-6-test.
Samba 3.3.16, 3.4.14 and 3.5.10 include these patches, Samba 3.6.0rc3 will also.

Re-assigning to Kai to push them to the master branch.

Comment 14 Kai Blin 2011-07-28 10:02:17 UTC

Jeremy pushed them to master already, marking bug as fixed.