The security problem could easily let an attacker compromise any Samba server connected to the Internet. The vulnerability is unrelated to the previous flaw, for which Samba released a patch on March 17.
"If it was related to Samba Team. "This has been in the code for seven or eight years.", we would have found it when we audited the code," said Jeremy Allison, co-author of Samba and a leader of the
The vulnerability, found by security firm Digital Defense, is already being used by online attackers to compromise vulnerable servers, the company warned in an advisory.
"Samba users are urged to check their Samba servers for compromise," the San Antonio, Texas-based company stated in the warning. "Samba and Digital Defense Inc. decided to release their advisories before all vendors had a chance to update their packages due to this vulnerability being actively exploited."
Digital Defense found the vulnerability because the security firm had been monitoring a file server as it was compromised. The company found the vulnerability that allowed the attacker to gain entry by reverse-engineering the network data.
Digital Defense verified that the Samba software that runs on major Linux distributions as well as FreeBSD and Sun Microsystems' Solaris operating system were affected. Operating system companies have already started to release their fixes.
However, a hiccup in Digital Defense's release of the advisory has added a twist to the situation that could make the threat more serious. While the company noted that some hackers obviously knew of the method by which the vulnerability could be exploited, it also made the apparent mistake of posting its own exploit onto its Web site.
The advisory has a link for a section of the Web site with security tools, one of which is a script written in the PERL programming language that quickly takes advantage of the security hole. Called "trans2root.pl," the script causes the compromised computer to return a root shell, which allows an attacker full access to the victim's computer.
Rick Fleming, chief technology officer for Digital Defense, said that someone picked the wrong advisory to post to the company's public Web site.
"We think it was inadvertent on our part," he said. "We are looking to remedy that situation. What we intended to release was only an advisory and not the exploit code."
Apparently, the company produces two copies of advisories: one for internal use and another for publication. The one that it sent out to the security community was apparently the former.
Samba's Allison said that's a major problem.
"I am grateful to them; we worked well together up until the release," he said. "I just wish they hadn't released the code the day of the announcement. If they had waited a week that would have been better."