COMMAND
pam_smb and pam_ntdom
SYSTEMS AFFECTED
Linux & Solaris
PROBLEM
Following is based on a Secure Reality Advisories (SRADV00002).
pam_smb and pam_ntdom are pluggable authentication modules that
allow authentication of usernames and passwords in PAM compatible
environments (most notably Solaris and Linux) against Windows and
Samba.
Both modules (ONLY in versions as listed above) contain remotely
exploitable stack buffer overflows. This bug allows an attacker
to execute arbitrary code as root. This may lead to remote root
compromise.
pam_smb and pam_ntdom are used in heterogenous environments to
provide common authentication across unix and windows boxes. Both
modules are distributed from their own home pages and the samba
ftp site and mirrors. It is reasonable to assume both modules are
fairly widespread.
The bug itself is fairly trivial. pam_smb performs a strcpy of a
user controlled variable (the login name) into a stack variable
of only 16 bytes. pam_ntdom is based on the code from pam_smb and
thus inherits this problem (in versions specified).
Thanks to Dave Airlie, author of pam_smb, for his assistance in
quickly fixing this problem and cutting new versions of pam_smb.
SOLUTION
Please upgrade to the latest version of all modules:
- pam_smb stable 1.1.6 at ftp://ftp.samba.org/pub/samba/pam_smb/
- pam_smb development 1.9.8 at ftp://ftp.samba.org/pub/samba/pam_smb/devel/
- pam_ntdom 0.24 at http://cb1.com/~lkcl/pam-ntdom/
As the pam_smb module was only updated recently, some samba
mirrors may not have the latest versions at this stage. Please
note the version of pam_ntdom on samba mirrors (0.23) IS
vulnerable, download the latest version from the URL listed above.
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/pam_smb-1.1.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/pam_smb-1.1.6-1cl.i386.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/libpam-smb_1.1.6-1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/libpam-smb_1.1.6-1.dsc
http://security.debian.org/dists/stable/updates/main/source/libpam-smb_1.1.6.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/libpam-smb_1.1.6-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libpam-smb_1.1.6-1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libpam-smb_1.1.6-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libpam-smb_1.1.6-1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libpam-smb_1.1.6-1_sparc.deb
For Linux-Mandrake users who have installed this package on their
own are encouraged to upgrade to the latest versions available
(as shown above).
For SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/pam_smb-1.1.6-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/pam_smb-1.1.6-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/pam_smb-1.1.6-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/pam_smb-1.1.6-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/pam_smb-1.1.6-0.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/pam_smb-1.1.6-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/pam_smb-1.1.6-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/pam_smb-1.1.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/pam_smb-1.1.6-0.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/pam_smb-1.1.6-0.src.rpm