Looks new. ETERNALBLUE was a buffer overflow, and not in Samba. This is Samba not restricting access to certain named pipes...the "IPC$ share" that can spawn processes.
from what i gather they pass the pipename into smb_probe_module which ends up calling dlopen
status = smb_probe_module("rpc", pipename);
my guess is you can either pass in a pipename starting with / which will cause it to be treated absolutely or ../../ which will cause dlopen to do a relative lookup
its a logic bug. they have some magic that loads modules at runtime based on a string a user supplies. but it doesn't take into account a user might be able to pass in / (i'm thinking absolute is probably not possible) or ../ which causes the module resolution to be done differently.
(2). Allow a client request on an RPC pipe to be routed to an external process or library.
This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.
Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem. That's what the fix now does.
A memory safe language would not have saved us here.
13 comments
[ 3.8 ms ] story [ 42.6 ms ] threadThe fix disallows open on pipes with a name that starts with / : https://github.com/samba-team/samba/commit/02a76d86db0cbe79f...
Debian: https://security-tracker.debian.org/tracker/CVE-2017-7494
Ubuntu: https://www.ubuntu.com/usn/usn-3296-1/
Red Hat: https://access.redhat.com/security/cve/CVE-2017-7494
Thanks to OP for highlighting this
Looks like a design issue and not an overflow or something.
(1). Load a shared library module and execute it.
This has many uses inside Samba.
(2). Allow a client request on an RPC pipe to be routed to an external process or library.
This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.
Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem. That's what the fix now does.
A memory safe language would not have saved us here.