Vigil@nce - Samba: changing the owner of files via RPC LSA
May 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated user can take ownership of files of other users,
which are provided via Samba.
Severity: 2/4
Creation date: 02/05/2012
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Linux
– openSUSE
– Red Hat Enterprise Linux
– Samba
– SUSE Linux Enterprise Desktop
– SUSE Linux Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The "net rpc rights" command is used to set privileges to a user:
– SePrintOperatorPrivilege : manage printers
– SeTakeOwnershipPrivilege : take ownership on files
– etc.
These privileges are stored in the account_policy.tdb database.
The source3/rpc_server/lsa/srv_lsa_nt.c file implements RPC for
LSA (Local Security Authority). However, the RPC CreateAccount,
OpenAccount, AddAccountRights and RemoveAccountRights do not check
if the user is allowed to alter the account_policy.tdb database.
An authenticated user can therefore take ownership of files of
other users, which are provided via Samba.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Samba-changing-the-owner-of-files-via-RPC-LSA-11571