Bug 8290 - CSRF vulnerability in SWAT; CVE-2011-2522
CSRF vulnerability in SWAT; CVE-2011-2522
Product: Samba 3.6
Classification: Unclassified
Component: SWAT
All All
: P5 regression
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2011-07-06 12:43 UTC by Kai Blin
Modified: 2012-03-16 23:55 UTC (History)
9 users (show)

See Also:
jra: review+

Patchset for master (5.85 KB, application/octet-stream)
2011-07-12 18:43 UTC, Kai Blin
no flags Details
Patchset for 3.6 (5.84 KB, application/octet-stream)
2011-07-12 18:44 UTC, Kai Blin
no flags Details
Patchset for 3.5 (5.84 KB, application/octet-stream)
2011-07-12 18:44 UTC, Kai Blin
no flags Details
Patchset for 3.4 (5.83 KB, application/octet-stream)
2011-07-12 18:44 UTC, Kai Blin
no flags Details
Patchset for 3.3 (5.84 KB, application/octet-stream)
2011-07-12 18:45 UTC, Kai Blin
no flags Details
Patchset for 3.2 (5.49 KB, application/octet-stream)
2011-07-12 21:59 UTC, Kai Blin
no flags Details
Patchset for 3.0 (5.55 KB, application/octet-stream)
2011-07-12 22:00 UTC, Kai Blin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kai Blin 2011-07-06 12:43:16 UTC

Comment 1 takayuki.uchiyama 2011-07-07 01:35:37 UTC
** Report description **
[Reference Number]

  - Cross-site request forgery vulnerability in Samba

[Reporter Related Information]
  - Yoshihiro Ishikawa (LAC Co., Ltd.)

[Vulnerability Information]
  - This vulnerability was found by the reporter
  - Product Name: Samba
    Version: 3.5.3 (Source)
    Patch Level: CentOS 5.3 (Final) Latest Install Package
    Language: English
    Settings: Enable Samba Web Administration Tool (SWAT) in Samba
              This is disabled by default.
    Web: http://samba.org/samba/
    Targeted version: http://samba.org/samba/ftp/stable/samba-3.5.3.tar.gz

  - Description:
     Cross-site request forgery
       - Session management for Samba SWAT performed through 
         basic authentication only.

  - Reproduction Procedure:
      Host is
      1. Target user (root: administrator) accesses SWAT 
         smdb/nmbd execution can be verified by transitioning
         to the STATUS screen
      2. Lure the target user accessing SWAT to access a URL 
         that sends requests containing a parameter that stops 
         services (all_stop=) through the web or e-mail.
         * ※
      Also if the paramete is changed to smbd_stop/nmdb_stop/winbindd_stop
      each respective daemon will be stopped.
      3. SWAT in Samba does not properly process the above request.
         As a result, requests to stop smbd/nmbd/winbind are executed
         and Samba services are stopped.
      For settings changes in Samba refer to the attached screenshots.
      .png files are images during the reproduction, .txt files are the
      request/response logs.

[Possible Impacts]
  - Samba services may be stopped or settings may be changed in an
    unauthorized manner.
    - In other words, any operation that can be performed through the
      SWAT management screen may be done.

[Possible Workarounds]
  - Disable SWAT

[Proof-of-Concept Code]
  - Refer to the above reproduction

[Other Information]
  - None

[Report Validation and Comments from IPA]
  - IPA verified this report using the below environment:
         CentOS 5.4
       Target Software
         The Samba Web Administration Tool(SWAT)
         * Contained in Samba 3.5.3
       IP Address
         ・Referring to the below set up the The Samba Web 
           Administration Tool(SWAT)
         Microsoft Windows XP Professional SP3
       Web Browser:
         Firefox 3.6.3

       Reproduction Steps
       1. Access the below URL from the client web browser, and
          login to the target software as root:

       2. Start services from the STATUS screen by pressing the
          "Start all services"
       3. From the STATUS screen, verify that "smbd", "nmbd" and
          "winbindd" are all running.
       4. Access the below URL:

       5. Verify through the STATUS screen that "smbd", "nmbd" and
          "winbindd" are all stopped.
       As a result of the above verification, we have observed a
       cross-site request forgery vulnerability.
       As a result of cross-site request forgery, any operation that
       can be performed in the target software may be performed in an
       unauthorized manner.

[Comments from JPCERT/CC]
  - None
Comment 2 Kai Blin 2011-07-07 05:54:50 UTC
Updated assignee, component and summary. Will look into this one as well.
Comment 3 Kai Blin 2011-07-08 13:23:53 UTC
Can confirm, working on a fix. Set as a blocker.
Comment 4 Kai Blin 2011-07-12 18:43:30 UTC
Created attachment 6689 [details]
Patchset for master

Proposed patches for git master
Comment 5 Kai Blin 2011-07-12 18:44:00 UTC
Created attachment 6690 [details]
Patchset for 3.6

Patches for 3.6
Comment 6 Kai Blin 2011-07-12 18:44:26 UTC
Created attachment 6691 [details]
Patchset for 3.5

Patches for 3.5
Comment 7 Kai Blin 2011-07-12 18:44:52 UTC
Created attachment 6692 [details]
Patchset for 3.4

Patches for 3.4
Comment 8 Kai Blin 2011-07-12 18:45:19 UTC
Created attachment 6693 [details]
Patchset for 3.3

Patches for 3.3
Comment 9 Kai Blin 2011-07-12 18:45:36 UTC
Patches for 3.2 and 3.0 still need some work.
Comment 10 Kai Blin 2011-07-12 21:59:47 UTC
Created attachment 6697 [details]
Patchset for 3.2

Patches for 3.2
Comment 11 Kai Blin 2011-07-12 22:00:40 UTC
Created attachment 6698 [details]
Patchset for 3.0

Patches for 3.0
Comment 12 Jeremy Allison 2011-07-15 00:21:07 UTC
These fixes look good to me - however I am not a security expert - especially
on web-based security. The patches will need to be also reviewed by the
security Teams of the Linux distributions.

Re-assigning to Karolin so this task can proceed.

Comment 13 Karolin Seeger 2011-07-26 19:20:40 UTC
Patches have been pushed to v3-3-test, v3-4-test, v3-5-test and v3-6-test.
Samba 3.3.16, 3.4.14 and 3.5.10 include these patches, Samba 3.6.0rc3 will also.

Re-assigning to Kai to push them to the master branch.
Comment 14 Kai Blin 2011-07-28 10:02:17 UTC
Jeremy pushed them to master already, marking bug as fixed.