CVE-2017-2619 regression breaks symlinks to directories

Bug #1701073 reported by Dave Kettmann on 2017-06-28
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
High
Andreas Hasenack
Nominated for Artful by Andreas Hasenack
Xenial
High
Marc Deslauriers
Yakkety
High
Marc Deslauriers
Zesty
High
Marc Deslauriers

Bug Description

Found in current version in Xenial (4.3.11+dfsg-0ubuntu0.16.04.7). When share's path is '/', symlinks do not work properly from Windows client. Gives "Cannot Access" error.

To reproduce:

1. Install samba and related dependencies

apt install -y samba

2. Add a share at the end of the default file that uses '/' as the path:

[reproducer]
        comment = share
        browseable = no
        writeable = yes
        create mode = 0600
        directory mode = 0700
        path = /

3. Attempt to access a symlink somewhere within the path of the share with a Windows client.

4. Receive "Windows cannot access..." related error

CVE References

Dave Kettmann (dkettman) wrote :

Further investigation shows that these regressions seem to be related to this in the upstream source:

https://github.com/samba-team/samba/commits/v4-6-test/source3/smbd/dir.c

This is a series of 7 commits related to the above-referenced CVE in this file.

Dave Kettmann (dkettman) on 2017-06-28
Changed in samba (Ubuntu):
importance: Undecided → High
tags: added: xenial
Andreas Hasenack (ahasenack) wrote :

I didn't quite dive into this yet. Adding https://bugzilla.samba.org/show_bug.cgi?id=12721 which may also be related.

tags: added: server-next
Dave Kettmann (dkettman) wrote :

I have setup 4 reproducer VMs. All running the base OS and installed only required packages for Samba. Here are the results:

SMBClient Xenial Yakkety Zesty Artful
Link to root Y Y Y Y
Link to directory Y Y Y Y
Link to file N N N N

* On Link to file via smbclient, error given is:
NT_STATUS_ACCESS_DENIED opening remote file \opt\smb.conf

Windows Xenial Yakkety Zesty Artful
Link to root Y N N N
Link to directory N N N N
Link to file N N N N

* On Link to root on Windows, the “N” gives error “The directory name is invalid”

Version of Samba on each is:
Xenial 4.3.11+dfsg-0ubuntu0.16.04.7
Yakkety 4.4.5+dfsg-2ubuntu5.6
Zesty 4.5.8+dfsg-0ubuntu0.17.04.2
Artful 4.5.8+dfsg-2ubuntu3

Artful was daily iso downloaded from here on 6/28/2017:
http://cdimage.ubuntu.com/ubuntu-server/daily/current/artful-server-amd64.iso
MD5Sum: ad2f3ef5db99cf91a34903fa61a0c2f2

Adding update-regression until provde that it is not.
It is too late to stop the updates with that (~3 months) but still tagging correctly seems right.

@Marc - since you backported the CVE could you take a look?

@Dave - Could you share your testcase (I assume you have a script of some sort)

@Andreas - once Dave shared his test, do you think we could make a subset of the testcase into the dep8 tests you have started to add. Extending the md5sum checks with something like a symlink creation and path checks?

tags: added: update-regression
Dave Kettmann (dkettman) wrote :

Shell script attached to be run on fresh install of Xenial.

Powershell commands to test functionality below:

Set-Location \\smb-xenial\reproducer\opt\root
Get-ChildItem
Set-Location \\smb-xenial\reproducer\opt\opt
Get-ChildItem
Get-Content \\smb-xenial\reproducer\opt\smb.conf

The first location works, the last two do not. These were run on a Windows 7 desktop VM.

Andreas Hasenack (ahasenack) wrote :

Ok, checking out what's going on here.

Andreas Hasenack (ahasenack) wrote :

Note: if you use smbclient with -m SMB2, which is what windows7+ uses, you will see the same failure when doing "ls /opt/opt/*":

root@xenial-samba-symlink-1701073:~# smbclient //localhost/cve-root -U ubuntu%ubuntu -c "ls /opt/opt/*"
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
  . D 0 Fri Jun 30 18:51:00 2017
  .. D 0 Fri Jun 30 18:11:18 2017
  smb.conf N 1245 Fri Jun 30 18:50:58 2017
  root D 0 Fri Jun 30 18:11:18 2017
  opt D 0 Fri Jun 30 18:51:00 2017

  246776448 blocks of size 1024. 246351744 blocks available

root@xenial-samba-symlink-1701073:~# smbclient //localhost/cve-root -U ubuntu%ubuntu -c "ls /opt/opt/*" -m SMB2
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED listing \opt\opt\*
root@xenial-samba-symlink-1701073:~#

I'm still investigating, I'm not getting the exact errors described in the upstream samba bug. They hint that it may depend on the kernel version as well. I'll stop trying with lxd and use VMs because of that.

Andreas Hasenack (ahasenack) wrote :

Confirmed. The bug will happen wherever opening a symlink to a directory with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you have to be using protocol SMB2 or higher):

xenial:
andreas@nsn7:~$ mkdir -p /tmp/cve/a
andreas@nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b
andreas@nsn7:~$ python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b'
andreas@nsn7:~$

Same thing on artful:
root@15-89:~# mkdir -p /tmp/cve/a
root@15-89:~# ln -s /tmp/cve/a /tmp/cve/b
root@15-89:~# python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 20] Not a directory: '/tmp/cve/b'
root@15-89:~#

Samba is only checking for ELOOP, which means the ENOTDIR error surfaces:
(my [cve] share points at /cve)
root@15-89:~# ls -la /cve
total 12
drwxr-xr-x 3 root root 4096 Jun 30 19:20 .
drwxr-xr-x 24 root root 4096 Jun 30 19:20 ..
drwxr-xr-x 2 root root 4096 Jun 30 19:20 a
lrwxrwxrwx 1 root root 1 Jun 30 19:20 b -> a
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/"
WARNING: The "syslog" option is deprecated
Domain=[ARTFUL] OS=[] Server=[]
NT_STATUS_NOT_A_DIRECTORY listing \b\
root@15-89:~#

When using SMB1 (which is the default, so you get the same without specifying -m):
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/"
WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol'
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu]
  b D 0 Fri Jun 30 19:20:37 2017

  30831504 blocks of size 1024. 23550704 blocks available

On my xenial LXD samba container, it works all the time, and my host is xenial too, so it's the right kernel. I'll double check with a VM, though.

Changed in samba (Ubuntu):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
summary: - CVE-2017-2619 regression breaks symlinks
+ CVE-2017-2619 regression breaks symlinks to directories
Dave Kettmann (dkettman) wrote :

@Andreas -- I found that symlinks to files are also broken, not just directories. Did you find this too? This was both linux and Windows, I would get an Access Denied error.

Andreas Hasenack (ahasenack) wrote :

Fix confirmed for artful, test packages here: ppa:ahasenack/samba-dir-symlink-1701073

Andreas Hasenack (ahasenack) wrote :

Here, let me update with a simple test case:

a) Add this share:
[tmp]
 path = /tmp
 wide links = no
 follow symlinks = yes
 browseable = yes
 read only = no
        guest ok = yes

b) run:
mkdir /tmp/target
ln -sf /tmp/target /tmp/symlink-to-target

c) failing test case:
smbclient //localhost/tmp -N -c "dir symlink-to-target/*" -m SMB2

I'll proceed with the SRU.

Andreas Hasenack (ahasenack) wrote :

I haven't seen an issue with symlinks to files.

Andreas Hasenack (ahasenack) wrote :

xenial is only affected if you use a newer kernel from hwe. For example:
- linux-image-4.4.0-83-generic: unaffected
- linux-image-4.8.0-58-generic: affected

Changed in samba (Ubuntu Xenial):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Yakkety):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Zesty):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Xenial):
status: New → In Progress
Changed in samba (Ubuntu Yakkety):
status: New → In Progress
Changed in samba (Ubuntu Zesty):
status: New → In Progress
Changed in samba (Ubuntu Xenial):
importance: Undecided → High
Changed in samba (Ubuntu Yakkety):
importance: Undecided → High
Changed in samba (Ubuntu Zesty):
importance: Undecided → High
Changed in samba (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Xenial):
assignee: Andreas Hasenack (ahasenack) → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Yakkety):
assignee: Andreas Hasenack (ahasenack) → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Zesty):
assignee: Andreas Hasenack (ahasenack) → Marc Deslauriers (mdeslaur)
Dariusz Gadomski (dgadomski) wrote :

Andreas, Marc - I think the case Dave described is not fully covered by the fix.

There is a config still failing: if the share is based at / (so all symlinks in the filesystem should be local to the share) with "wide links = no" no symlinks are accessible. According to my tests this affects both: file and directory symlinks).

Test case:
# server
[rootshare]
 path = /
 wide links = no
 follow symlinks = yes
 browseable = yes
 read only = no
 guest ok = yes

mkdir -p /tmp/test
ln -s /tmp/test /tmp/testlink

# client
smbclient -m smb3 //server/rootshare
cd /tmp/testlink
dir
NT_STATUS_ACCESS_DENIED listing \tmp\testlink\*

Andreas Hasenack (ahasenack) wrote :

@dgadomski confirmed. This might be a different bug. We should try with the latest samba (4.6.5) and if it continues happening there, file a bug upstream.

Andreas Hasenack (ahasenack) wrote :

I get the same access denied error with 4.6.5 packages, built with or without the patch for this particular regression (#12860 upstream) (my 4.6.5 artful test packages: ppa:ahasenack/samba-merge)

I think sharing the real root filesytem (/) is not a common scenario. I found one bug upstream related to sharing "/" and has been untouched by developers since late 2013.

Let's see if it was working in a previous version, then there would be a bigger incentive to have this fixed upstream.

Andreas Hasenack (ahasenack) wrote :

I filed https://bugzilla.samba.org/show_bug.cgi?id=12873 for this ACCESS_DENIED issue that happens when exporting the root filesystem ("/") and using symlinks, which is what the OP wanted fixed here but we ended up diving into https://bugzilla.samba.org/show_bug.cgi?id=12860, which is another valid regression. Maybe we should have another Ubuntu bug for #12873.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.9

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.9) trusty-security; urgency=medium

  [ Andreas Hasenack ]
  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via bad symlink resolution
    - debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
      in source3/smbd/open.c.
    - CVE-2017-9461

 -- Marc Deslauriers <email address hidden> Tue, 04 Jul 2017 08:01:55 -0400

Changed in samba (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.8

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.8) xenial-security; urgency=medium

  [ Andreas Hasenack ]
  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via bad symlink resolution
    - debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
      in source3/smbd/open.c.
    - CVE-2017-9461

 -- Marc Deslauriers <email address hidden> Tue, 04 Jul 2017 07:56:30 -0400

Changed in samba (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu5.7

---------------
samba (2:4.4.5+dfsg-2ubuntu5.7) yakkety-security; urgency=medium

  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

 -- Andreas Hasenack <email address hidden> Fri, 30 Jun 2017 17:02:20 -0300

Changed in samba (Ubuntu Yakkety):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.8+dfsg-0ubuntu0.17.04.3

---------------
samba (2:4.5.8+dfsg-0ubuntu0.17.04.3) zesty-security; urgency=medium

  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

 -- Andreas Hasenack <email address hidden> Fri, 30 Jun 2017 17:02:20 -0300

Changed in samba (Ubuntu Zesty):
status: In Progress → Fix Released
Andreas Hasenack (ahasenack) wrote :

Reopening the artful task, since the fix isn't there.

Changed in samba (Ubuntu):
status: Fix Released → Confirmed
assignee: Marc Deslauriers (mdeslaur) → Andreas Hasenack (ahasenack)
status: Confirmed → In Progress
Changed in samba (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → nobody
status: In Progress → Confirmed
Changed in samba (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.6.7+dfsg-1ubuntu1

---------------
samba (2:4.6.7+dfsg-1ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1710281).
    - Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
      symlinks to directories (LP: #1701073)
  * Remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
    - d/rules: Compile winbindd/winbindd statically.
    - Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247

 -- Andreas Hasenack <email address hidden> Mon, 21 Aug 2017 17:27:08 -0300

Changed in samba (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.