Samba LDAP Server Privilege Escalation
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.The Active Directory it supports, is a directory service used by Microsoft systems on Windows domain networks, in which Samba will provide user authentication services as the Active Directory Domain Controller (AC DC). To store the user privilege information, a object called nTSecurityDescriptor will be used.A vulnerability exists in Samba. As Samba has mistakenly allowed a nTSecurityDescriptor object with dangerous privilege, change Password extended right, to be assigned to the group "everyone" (SID S-1-1-0), which includs all authenticated users:
aces: struct security_ace // Security Access Control Element (DACL) type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000100 (256) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : ab721a53-1e2f-11d0-9819-00aa0040529b // GUID for Change Password Extended Right inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-1-0 // SID = "Everyone", causing the vulnerability
An authenticated user could reset the password for arbitrary users, causing a remote privilege escalation. Because changing the password requires the old password, this vulnerability cannot be exploited by a unauthenticated user.
SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:
- IPS 13274: Samba LDAP Server Privilege Escalation