[Security Problem] --with-tdbsam

Mon, 01 Jul 2002 05:23:39 -0700 


In Samba-JP, "buffer overflow" problem was reported.

If samba is configured with "--with-tdbsam", init_sam_from_buffer function
contains a buffer overflow vulnerability.

In a certain case, user can use this vulnerability by changing his password.

Please examine this security problem and take measures to be necessary.

vulnerable version
2.2.3, 2.2.3a, 2.2.4, 2.2.5

-------------- CUT HERE ---------------------------
diff -uNr samba-2.2.5.orig/source/passdb/pdb_tdb.c samba-2.2.5/source/passdb/pdb_tdb.c
--- samba-2.2.5.orig/source/passdb/pdb_tdb.c    Fri May  3 10:03:27 2002
+++ samba-2.2.5/source/passdb/pdb_tdb.c Mon Jul  1 18:58:05 2002
@@ -81,6 +81,7 @@
        static uint8    *lm_pw_ptr, *nt_pw_ptr;
        uint32          len = 0;
        uint32          lmpwlen, ntpwlen, hourslen;
+       pstring         cvt_buf;
        BOOL ret = True;
        BOOL setflag;
        struct passwd *pw;
@@ -160,9 +161,10 @@
        if (homedir) setflag = True;
        else {
                setflag = False;
-               homedir = strdup(lp_logon_home());
+               pstrcpy(cvt_buf, lp_logon_home());
+               standard_sub_advanced(-1, username, "", gid, cvt_buf);
+               homedir = strdup(cvt_buf);
                if(!homedir) { ret = False; goto done; }
-               standard_sub_advanced(-1, username, "", gid, homedir);
                DEBUG(5,("Home directory set back to %s\n", homedir));
        }
        pdb_set_homedir(sampass, homedir, setflag);
@@ -170,9 +172,10 @@
        if (dir_drive) setflag = True;
        else {
                setflag = False;
-               dir_drive = strdup(lp_logon_drive());
+               pstrcpy(cvt_buf, lp_logon_drive());
+               standard_sub_advanced(-1, username, "", gid, cvt_buf);
+               dir_drive = strdup(cvt_buf);
                if(!dir_drive) { ret = False; goto done; }
-               standard_sub_advanced(-1, username, "", gid, dir_drive);
                DEBUG(5,("Home directory set back to %s\n", dir_drive));
        }
        pdb_set_dir_drive(sampass, dir_drive, setflag);
@@ -180,9 +183,10 @@
        if (logon_script) setflag = True;
        else {
                setflag = False;
-               logon_script = strdup(lp_logon_script());
+               pstrcpy(cvt_buf, lp_logon_script());
+               standard_sub_advanced(-1, username, "", gid, cvt_buf);
+               logon_script = strdup(cvt_buf);
                if(!logon_script) { ret = False; goto done; }
-               standard_sub_advanced(-1, username, "", gid, logon_script);
                DEBUG(5,("Home directory set back to %s\n", logon_script));
        }
        pdb_set_logon_script(sampass, logon_script, setflag);
@@ -190,9 +194,10 @@
        if (profile_path) setflag = True;
        else {
                setflag = False;
-               profile_path = strdup(lp_logon_path());
+               pstrcpy(cvt_buf, lp_logon_path());
+               standard_sub_advanced(-1, username, "", gid, cvt_buf);
+               profile_path = strdup(cvt_buf);
                if(!profile_path) { ret = False; goto done; }
-               standard_sub_advanced(-1, username, "", gid, profile_path);
                DEBUG(5,("Home directory set back to %s\n", profile_path));
        }
        pdb_set_profile_path(sampass, profile_path, setflag);
------------- END ------------


Regards,
Yasuma Takeda

Reply via email to