The branch, v3-6-stable has been updated via 91f4275 swat: Use additional nonce on XSRF protection via 7122594 swat: Use X-Frame-Options header to avoid clickjacking via 184d5ab WHATSNEW: Prepare release notes for Samba 3.6.12. from 5f8ab89 WHATSNEW: Start release notes for Samba 3.6.12.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable - Log ----------------------------------------------------------------- commit 91f4275873ebeda8f57684f09df67162ae80515a Author: Kai Blin <k...@samba.org> Date: Mon Jan 28 21:41:07 2013 +0100 swat: Use additional nonce on XSRF protection If the user had a weak password on the root account of a machine running SWAT, there still was a chance of being targetted by an XSRF on a malicious web site targetting the SWAT setup. Use a random nonce stored in secrets.tdb to close this possible attack window. Thanks to Jann Horn for reporting this issue. Signed-off-by: Kai Blin <k...@samba.org> Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT. commit 71225948a249f079120282740fcc39fd6faa880e Author: Kai Blin <k...@samba.org> Date: Fri Jan 18 23:11:07 2013 +0100 swat: Use X-Frame-Options header to avoid clickjacking Jann Horn reported a potential clickjacking vulnerability in SWAT where the SWAT page could be embedded into an attacker's page using a frame or iframe and then used to trick the user to change Samba settings. Avoid this by telling the browser to refuse the frame embedding via the X-Frame-Options: DENY header. Signed-off-by: Kai Blin <k...@samba.org> Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT. commit 184d5ab26a553ca7ef3f529e90e4dd8c9aded75d Author: Karolin Seeger <ksee...@samba.org> Date: Tue Jan 29 09:45:06 2013 +0100 WHATSNEW: Prepare release notes for Samba 3.6.12. This is a Security Release in order to address CVE-2013-0213 (Clickjacking issue in SWAT) and CVE-2013-0214 (Potential XSRF in SWAT). Karolin ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 35 ++++++++++++++++++++++++++++++----- source3/web/cgi.c | 40 ++++++++++++++++++++++++++-------------- source3/web/swat.c | 5 ++++- source3/web/swat_proto.h | 1 + 4 files changed, 61 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2f414bc..8d058e3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,19 +1,44 @@ ============================== Release Notes for Samba 3.6.12 - March 18, 2013 + January 30, 2013 ============================== -This is is the latest stable release of Samba 3.6. - -Major enhancements in Samba 3.6.12 include: +This is a security release in order to address +CVE-2013-0213 (Clickjacking issue in SWAT) and +CVE-2013-0214 (Potential XSRF in SWAT). + +o CVE-2013-0213: + All current released versions of Samba are vulnerable to clickjacking in the + Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into + a malicious web page via a frame or iframe and then overlaid by other content, + an attacker could trick an administrator to potentially change Samba settings. + + In order to be vulnerable, SWAT must have been installed and enabled + either as a standalone server launched from inetd or xinetd, or as a + CGI plugin to Apache. If SWAT has not been installed or enabled (which + is the default install state for Samba) this advisory can be ignored. + +o CVE-2013-0214: + All current released versions of Samba are vulnerable to a cross-site + request forgery in the Samba Web Administration Tool (SWAT). By guessing a + user's password and then tricking a user who is authenticated with SWAT into + clicking a manipulated URL on a different web page, it is possible to manipulate + SWAT. + + In order to be vulnerable, the attacker needs to know the victim's password. + Additionally SWAT must have been installed and enabled either as a standalone + server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has + not been installed or enabled (which is the default install state for Samba) + this advisory can be ignored. -o Changes since 3.6.11: -------------------- -o Jeremy Allison <j...@samba.org> +o Kai Blin <k...@samba.org> + * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT. + * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT. ###################################################################### diff --git a/source3/web/cgi.c b/source3/web/cgi.c index ef1b856..861bc84 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -48,6 +48,7 @@ static const char *baseurl; static char *pathinfo; static char *C_user; static char *C_pass; +static char *C_nonce; static bool inetd_server; static bool got_request; @@ -329,20 +330,7 @@ static void cgi_web_auth(void) C_user = SMB_STRDUP(user); if (!setuid(0)) { - C_pass = secrets_fetch_generic("root", "SWAT"); - if (C_pass == NULL) { - char *tmp_pass = NULL; - tmp_pass = generate_random_password(talloc_tos(), - 16, 16); - if (tmp_pass == NULL) { - printf("%sFailed to create random nonce for " - "SWAT session\n<br>%s\n", head, tail); - exit(0); - } - secrets_store_generic("root", "SWAT", tmp_pass); - C_pass = SMB_STRDUP(tmp_pass); - TALLOC_FREE(tmp_pass); - } + C_pass = SMB_STRDUP(cgi_nonce()); } setuid(pwd->pw_uid); if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { @@ -459,6 +447,30 @@ char *cgi_user_pass(void) } /*************************************************************************** +return a ptr to the nonce + ***************************************************************************/ +char *cgi_nonce(void) +{ + const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n"; + const char *tail = "</BODY></HTML>\r\n"; + C_nonce = secrets_fetch_generic("root", "SWAT"); + if (C_nonce == NULL) { + char *tmp_pass = NULL; + tmp_pass = generate_random_password(talloc_tos(), + 16, 16); + if (tmp_pass == NULL) { + printf("%sFailed to create random nonce for " + "SWAT session\n<br>%s\n", head, tail); + exit(0); + } + secrets_store_generic("root", "SWAT", tmp_pass); + C_nonce = SMB_STRDUP(tmp_pass); + TALLOC_FREE(tmp_pass); + } + return(C_nonce); +} + +/*************************************************************************** handle a file download ***************************************************************************/ static void cgi_download(char *file) diff --git a/source3/web/swat.c b/source3/web/swat.c index 1f6eb6c..f8933d2 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -154,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass, MD5_CTX md5_ctx; uint8_t token[16]; int i; + char *nonce = cgi_nonce(); token_str[0] = '\0'; ZERO_STRUCT(md5_ctx); @@ -167,6 +168,7 @@ void get_xsrf_token(const char *username, const char *pass, if (pass != NULL) { MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); } + MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce)); MD5Final(token, &md5_ctx); @@ -266,7 +268,8 @@ static void print_header(void) if (!cgi_waspost()) { printf("Expires: 0\r\n"); } - printf("Content-type: text/html\r\n\r\n"); + printf("Content-type: text/html\r\n"); + printf("X-Frame-Options: DENY\r\n\r\n"); if (!include_html("include/header.html")) { printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n"); diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h index 424a3af..fe51b1f 100644 --- a/source3/web/swat_proto.h +++ b/source3/web/swat_proto.h @@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name); bool am_root(void); char *cgi_user_name(void); char *cgi_user_pass(void); +char *cgi_nonce(void); void cgi_setup(const char *rootdir, int auth_required); const char *cgi_baseurl(void); const char *cgi_pathinfo(void); -- Samba Shared Repository