FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

samba -- nss_info plugin privilege escalation vulnerability

Affected packages
samba < 3.0.26a
*,1 < samba < 3.0.26a,1

Details

VuXML ID 2bc96f18-683f-11dc-82b6-02e0185f8d72
Discovery 2007-09-11
Entry 2007-09-21
Modified 2008-09-26

The Samba development team reports:

The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf option to either "sfu" or "rfc2307".

Both the Windows "Identity Management for Unix" and "Services for Unix" MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user's Windows primary group. When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.

References

CVE Name CVE-2007-4138
URL http://www.samba.org/samba/security/CVE-2007-4138.html