Samba LDAP Server Privilege Escalation
Description
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.The Active Directory it supports, is a directory service used by Microsoft systems on Windows domain networks, in which Samba will provide user authentication services as the Active Directory Domain Controller (AC DC). To store the user privilege information, a object called nTSecurityDescriptor will be used.A vulnerability exists in Samba. As Samba has mistakenly allowed a nTSecurityDescriptor object with dangerous privilege, change Password extended right, to be assigned to the group “everyone” (SID S-1-1-0), which includs all authenticated users:
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.The Active Directory it supports, is a directory service used by Microsoft systems on Windows domain networks, in which Samba will provide user authentication services as the Active Directory Domain Controller (AC DC). To store the user privilege information, a object called nTSecurityDescriptor will be used.A vulnerability exists in Samba. As Samba has mistakenly allowed a nTSecurityDescriptor object with dangerous privilege, change Password extended right, to be assigned to the group “everyone” (SID S-1-1-0), which includs all authenticated users:
aces: struct security_ace // Security Access Control Element (DACL) type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000100 (256) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : ab721a53-1e2f-11d0-9819-00aa0040529b // GUID for Change Password Extended Right inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-1-0 // SID = "Everyone", causing the vulnerability
An authenticated user could reset the password for arbitrary users, causing a remote privilege escalation. Because changing the password requires the old password, this vulnerability cannot be exploited by a unauthenticated user.
SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:
- IPS 13274: Samba LDAP Server Privilege Escalation
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
