BID:25636

Samba NSS_Info Plugin Local Privilege Escalation Vulnerability

Info

Samba NSS_Info Plugin Local Privilege Escalation Vulnerability

Bugtraq ID:	25636
Class:	Design Error
CVE:	CVE-2007-4138
Remote:	No
Local:	Yes
Published:	Sep 11 2007 12:00AM
Updated:	Dec 18 2007 08:05PM
Credit:	Rick King discovered this issue and reported it to the vendor.
Vulnerable:	Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 12.0 Slackware Linux 11.0 Samba Samba 3.0.25 c Samba Samba 3.0.25 b Samba Samba 3.0.25 a Samba Samba 3.0.25 rPath rPath Linux 1 Redhat Fedora Core7 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux AS 4 Redhat Enterprise Linux 5 Server Redhat Desktop 4.0 Avaya Messaging Storage Server MSS 3.0 Avaya Messaging Storage Server MM3.0 Avaya Messaging Storage Server 3.1 Avaya Message Networking MN 3.1 Avaya Message Networking 3.1 Apple Mac OS X Server 10.5.1 Apple Mac OS X 10.5.1

Not Vulnerable:	Samba Samba 3.0.26

Discussion

Samba NSS_Info Plugin Local Privilege Escalation Vulnerability

Samba is prone to a local privilege-escalation vulnerability due to a logic error in the Winbind daemon.

An attacker can exploit this issue to gain 'groupid 0' privileges on UNIX computers running the vulnerable Samba software. This may aid them in further attacks.

Samba 3.0.25 through 3.0.25c are vulnerable to this issue.

Exploit / POC

Samba NSS_Info Plugin Local Privilege Escalation Vulnerability

Attackers do not require specific exploit code to trigger this vulnerability, but they may require exploit code to take advantage of gaining 'groupid 0' status in further attacks.

Solution / Fix

Samba NSS_Info Plugin Local Privilege Escalation Vulnerability

Solution:
The vendor has released fixes to address this issue. Please see the references for more information.

Apple Mac OS X Server 10.5.1