SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Samba LDAP Server Privilege Escalation (Mar 31, 2018)



Description


Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

The Active Directory it supports, is a directory service used by Microsoft systems on Windows domain networks, in which Samba will provide user authentication services as the Active Directory Domain Controller (AC DC). To store the user privilege information, a object called nTSecurityDescriptor will be used.

A vulnerability exists in Samba. As Samba has mistakenly allowed a nTSecurityDescriptor object with dangerous privilege, change Password extended right, to be assigned to the group "everyone" (SID S-1-1-0), which includs all authenticated users:

 aces: struct security_ace // Security Access Control Element (DACL)
 type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
 flags : 0x00 (0)
 0: SEC_ACE_FLAG_OBJECT_INHERIT
 0: SEC_ACE_FLAG_CONTAINER_INHERIT
 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
 0: SEC_ACE_FLAG_INHERIT_ONLY
 0: SEC_ACE_FLAG_INHERITED_ACE
 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
 0: SEC_ACE_FLAG_FAILED_ACCESS
 size : 0x0028 (40)
 access_mask : 0x00000100 (256)
 object : union security_ace_object_ctr(case 5)
 object: struct security_ace_object
 flags : 0x00000001 (1)
 1: SEC_ACE_OBJECT_TYPE_PRESENT
 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
 type : union security_ace_object_type(case 1)
 type : ab721a53-1e2f-11d0-9819-00aa0040529b // GUID for Change Password Extended Right
 inherited_type : union security_ace_object_inherited_type(case 0)
 trustee : S-1-1-0 // SID = "Everyone", causing the vulnerability

An authenticated user could reset the password for arbitrary users, causing a remote privilege escalation. Because changing the password requires the old password, this vulnerability cannot be exploited by a unauthenticated user.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13274: Samba LDAP Server Privilege Escalation



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.15.5 | S2MSW06