[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Remote root compromise through pam_smb and pam_ntdom

Title: Remote root compromise through pam_smb and pam_ntdom
Released by: Secure Reality
Date: 11th September 2000
Printable version: Click here

Secure Reality Pty Ltd. Security Advisory #1 (SRADV00002)




Remote root compromise through pam_smb and pam_ntdom




pam_smb - stable versions < 1.1.6, development versions unclear

pam_ntdom - versions < 0.24


pam_smb and pam_ntdom are pluggable authentication modules that allow

authentication of usernames and passwords in PAM compatible environments

(most notably Solaris and Linux) against Windows and Samba.

Both modules (ONLY in versions as listed above) contain remotely exploitable

stack buffer overflows. This bug allows an attacker to execute arbitrary

code as root.


Remote root compromise


pam_smb and pam_ntdom are used in heterogenous environments to provide

common authentication across unix and windows boxes. Both modules are

distributed from their own home pages and the samba ftp site and mirrors. It

is reasonable to assume both modules are fairly widespread.

The bug itself is fairly trivial. pam_smb performs a strcpy of a

user controlled variable (the login name) into a stack variable of only 16

bytes. pam_ntdom is based on the code from pam_smb and thus inherits this

problem (in versions specified).


Please upgrade to the latest version of all modules:

pam_smb stable 1.1.6 at http://ftp.samba.org/pub/samba/pam_smb/

pam_smb development 1.9.8 at http://ftp.samba.org/pub/samba/pam_smb/devel/

pam_ntdom 0.24 at http://cb1.com/~lkcl/pam-ntdom/

(As the pam_smb module was only updated recently, some samba mirrors may

not have the latest versions at this stage. Please note the version of

pam_ntdom on samba mirrors (0.23) IS vulnerable, download the latest version

from the URL listed above)


Our thanks to Dave Airlie, author of pam_smb,  for his assistance in quickly

fixing this problem and cutting new versions of pam_smb.


Advice, directions and instructions on security vulnerabilities in this

advisory do not constitute: an endorsement of illegal behaviour; a guarantee

that protection measures will work; an endorsement of any product or

solution or recommendations on behalf of Secure Reality Pty Ltd. Content is

provided as is and Secure Reality does not accept responsibity for any

damange or injury caused as a result of its use.

(C) 1999-2000 All rights reserved.