Web lists-archives.com

Re: [Samba] CVE-2008-4250?




Thanks for the info.


Best regards :D
The implementation of the test in Nessus is incorrect.

Here are the two (yes, for silly reasons) implementations in Samba:

WERROR _srvsvc_NetPathCompare(struct pipes_struct *p,
			      struct srvsvc_NetPathCompare *r)
{
	p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
	return WERR_NOT_SUPPORTED;
}

/*
   srvsvc_NetPathCompare
*/
static WERROR dcesrv_srvsvc_NetPathCompare(struct dcesrv_call_state
*dce_call, TALLOC_CTX *mem_ctx,
		       struct srvsvc_NetPathCompare *r)
{
	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}

As you can see from
https://svn.nmap.org/nmap/scripts/smb-vuln-ms08-067.nse

Any fault code is assumed to mean a vulnerable server, the RNG_ERROR
(yet another way to say not implemented) included.

Hopefully this is enough to assist you, if you need to assuage an
auditor then I suggest submitting a patch implementing it.

This won't be hard, the clue is in the implementation note:
https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_116

<116>
Section 3.1.4.31: The server does a standard C string comparison on the
canonicalized path names and returns the result.

<117>
Section 3.1.4.31: No security restrictions are imposed by Windows-based
server implementations on the caller.

I hope this helps,

Andrew Bartlett

--
/************************************************
* Téc. Leslie León Sinclair
* Administrador de Redes - AzumatHB
* Another happy Slackware & Debian GNU/Linux user
* Blog: https://admlinux.cubava.cu
* Proud GNU/Linux User #445535
* ☎ +49-170-7683042
*************************************************/


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba