Web lists-archives.com

Re: [Samba] CVE-2008-4250?




On Mon, 2018-06-18 at 09:14 -0400, Leslie León via samba wrote:
> Good morning/day/night to all!
> 
> After moving all my infrastructure to Debian9, changed my ADDC from 
> Win2K12 to Samba4 scanning my network I found the following:
> 
> --------------------------------------------------------------------------------------------------------------------------------
> 
> koratsuki@happyharry:~$ nmap --script smb-vuln-ms08-067.nse -p445 
> smb-addc.tld
> 
> Starting Nmap 7.50 ( https://nmap.org ) at 2018-06-18 08:14 CDT
> Nmap scan report for smb-addc.tld
> Host is up (0.00073s latency).
> 
> PORT    STATE SERVICE
> 445/tcp open  microsoft-ds
> 
> Host script results:
> > smb-vuln-ms08-067:
> >   VULNERABLE:
> >   Microsoft Windows system vulnerable to remote code execution (MS08-067)
> >     State: LIKELY VULNERABLE
> >     IDs:  CVE:CVE-2008-4250
> >           The Server service in Microsoft Windows 2000 SP4, XP SP2 and 
> 
> SP3, Server 2003 SP1 and SP2,
> >           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows 
> 
> remote attackers to execute arbitrary
> >           code via a crafted RPC request that triggers the overflow 
> 
> during path canonicalization.
> > 
> >     Disclosure date: 2008-10-23
> >     References:
> > https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
> > _ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
> 
> Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
> 
> --------------------------------------------------------------------------------------------------------------------------------
> 
> Now, I wonder... Why is happening that? That server is installed with 
> samba 4.8.2, lastest stable release, Debian 9.4, and the compile chain is:
> 
> ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc 
> --localstatedir=/var --enable-debug --enable-selftest --cross-answers 
> --cross-execute --disable-cups --disable-iprint --sbindir=/usr/sbin 
> --mandir=/usr/share/man -j4 --enable-selftest --without-systemd
> 
> I´am doing something wrong or need more stuff in the smb.conf? The 
> smb.conf is using the default config... Can someone point me on the 
> right direction in order to fix this?

The implementation of the test in Nessus is incorrect.  

Here are the two (yes, for silly reasons) implementations in Samba:

WERROR _srvsvc_NetPathCompare(struct pipes_struct *p,
			      struct srvsvc_NetPathCompare *r)
{
	p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
	return WERR_NOT_SUPPORTED;
}

/* 
  srvsvc_NetPathCompare 
*/
static WERROR dcesrv_srvsvc_NetPathCompare(struct dcesrv_call_state
*dce_call, TALLOC_CTX *mem_ctx,
		       struct srvsvc_NetPathCompare *r)
{
	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}

As you can see from 
https://svn.nmap.org/nmap/scripts/smb-vuln-ms08-067.nse

Any fault code is assumed to mean a vulnerable server, the RNG_ERROR
(yet another way to say not implemented) included.

Hopefully this is enough to assist you, if you need to assuage an
auditor then I suggest submitting a patch implementing it.

This won't be hard, the clue is in the implementation note:
https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_116

<116>
Section 3.1.4.31: The server does a standard C string comparison on the
canonicalized path names and returns the result.

<117>
Section 3.1.4.31: No security restrictions are imposed by Windows-based
server implementations on the caller.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba