Hacker News new | comments | show | ask | jobs | submit login
Samba: Authenticated users can change other users' password (samba.org)
96 points by f2n 7 months ago | hide | past | web | favorite | 13 comments



Good news: Only affects the AD / LDAP component. Bad news: That component is enabled by default. Good news: If you don't use Samba LDAP, an effective mitigation is to just disable the ldap service (search the fine article for "Disable LDAP").


Does synology use samba for SMB drives?


Only applies to a samba domain controller, so likely not relevant


If so, for this to be exploited it would not only have to be running as a AD DC, but have LDAP exposed. Valid question.


Don't know why you're downvoted. It's a relevant question. Synology is using samba for their SMB drives, haven't found a description on how the DSM is affected.

We're using LDAP so we cannot turn that off.


This is pretty major and can go right in your exploiter's toolbag for privilege escalation scenarios.


Isn't changing someone else's password the most un-stealthy kind of exploit?


Not if you change a DC password or the KRBTGT password. Then you have full control of the domain.


This does not apply when the Samba server is a domain member instead of domain controller, right?


correct.


Haven't used samba much; this is enlightening. Previously I had assumed it just used the same auth system (e.g. PAM) as the host. That would entail its own complications but would probably have prevented this bug.


It would not be possible to have an AD server using PAM, AD protocols need the NT hash.

Samba can only use PAM when plaintext passwords are used, which is not supported at all with AD (Samba as standalone requires you to store passwords in it's own database). As an Active Directory server, passwords are stored in the directory with access provided by multiple protocols. This was an issue in the LDAP ACL verification.


LDAP always has the userPassword attribute which is fully comptible with Linux, you just have to change both at the same times (this is in fact what i did for one of my clients)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: