Roger Zelazny's "Lord of Light" is my favourite Science Fiction/Fantasy novel. Don't read the blurb on the back (that will ruin it :-), just dive in and enjoy !
89 posts • joined 19 Oct 2008
Roger Zelazny's "Lord of Light" is my favourite Science Fiction/Fantasy novel. Don't read the blurb on the back (that will ruin it :-), just dive in and enjoy !
> Could get messy.
Almost certainly not from these specific bugs. They are not easily exploitable (but never say never of course). If a SMB server is not patched there are much easier exploitable issues than these recent ones to choose from.
"REAL programmers do not NEED to do "garbage collection". They understand that for every 'malloc' or 'new', there must be a 'free' or 'delete'. And buffer sizes must be CHECKED. etc."
Samba uses the talloc library (invented locally) for this purpose. Check out https://talloc.samba.org/talloc/doc/html/index.html . It's a really nice piece of code which has stack/heap smashing protections etc. Lots of non-Samba code in Red Hat/Fedora also uses it.
Buffer overruns are harder, for much of SMB1/2/3 it's hard to auto-generate, as the protocol isn't defined in an interface definition language. Our DCE-RPC code is auto-generated and buffer overrun checked, as our IDL compiler (pidl) does this for us.
Unfortunately, due to C, these kind of bugs will always be with us. All we can do is be eternally vigilant and review everything.
It states: "Samba's developers have detected exploits", that should be "Samba's developers have *NOT* detected exploits", because we haven't.
Never say never, but I can't see a way to exploit this (not that I'm an exploit expert). But better to fix than leave any possibility around.
NFS is a simpler protocol, but not necessarily higher performing. SMB1/2/3 has lots of tricks to improve performance and can quite easily saturate most ethernet links.
This ! C is notoriously difficult to get right. If I had to do Samba again from scratch I'd chose golang.
Oooh. Thanks ! I never thought of myself as young at 55, but I'll take the compliment, thanks :-).
Remember, the Linux Foundation is a USA 501(c)(6) non-profit, organizing on behalf of its members, *NOT* the Open Source or (heaven forbid) the Free Software community.
Anyone who is surprised at this simply hasn't been paying attention.
Other notable 501(c)(6) non-profits include the MPAA and the RIAA.
Now are you getting it ?
> lack of SMB2+ support. They're STILL insisting on SMB1 for network shares
> despite all the security concerns and they fact their support line is going to get
> hammered when MS drop it shortly and everyone updates their NAS boxes.
Not only that, I've contacted their support line and email and personally offered support and help to move them onto SMB2+ (they're using Steve French's Linux kernel client and Steve and I can certainly fix this for them). I got a "thanks" back, but no follow up.
This tells me they're probably trying to figure out how to orphan people who are running their own NAS boxes and force everyone onto shitty-quality streaming cloud music, for whatever reasons (probably trying to get a cut of that sweet rental revenue). If that happens I'm ditching my SONOS stuff on eBay - which will hurt, I've spent a *LOT* of money on them over the years and previously was a very happy customer until the abomination of their latest Android app update.
The latest app update makes the system virtually unusable from a UI/usability point of view (my wife has already given up on it).
We fixed this with the "badlock" patchset already. We also notified Microsoft about this issue at the same time, but it looks like the fix took a while to filter through the system.
I expected better from you Richard.
This code is based on Samba 4.6.x, which still has SMB1 as default for the *client* code only. The server code supports SMB2 of course and has since 3.6.x. The client code also supports SMB2 but the default was left at SMB1 for 4.6.x (which was released *before* WANNACRY) to keep all the regression tests working (which are run on every check-in to ensure code quality and protect against regressions).
For 4.7.x (now in rc1) - being released *post* WANNACRY there has been a large effort put in to fix this and ensure everything works out of the box with SMB2+ by default in the client libraries.
Samba has never been vulnerable to WANNACRY, this was a Microsoft-only implementation problem. Now we've had our fair share of our own horrible vulnerabilities of course (some of which I'm ashamed to say I caused), but associating WANNA-*anything* merely with SMB1 support is sloppy, amateurish journalism. Please check facts next time. It's not like my email address or contact details are a secret, is it.
Yes I am fully aware of these restrictions and the reasons for them, and Samba follows these in all of our internal library code. Plugins are only loaded from $SAMBA_INSTALL_BASE_DIR/lib/<subsystem_name>/plugin_name.so where <subsystem_name> is hard coded at compile time.
The bug occurred because this was connected to the RPC subsystem, which originally had a hard-coded list of acceptable plugin names (that's why the pre-3.5.0 code is not vulnerable), but this was relaxed for 3.5.0 and above - which was a big mistake. We will be correcting that in future releases, but due to the severity of the problem and immediacy of the threat we decided we had to go with the minimal secure patch for the CVE release.
> On the face of it, it looks like there might be deeper problems that are being fixed in the short term with a quick simple patch?
No, that's not the case. I did the forensics on this.
There are 2 subsystems involved here.
(1). Load a shared library module and execute it.
This has many uses inside Samba, plugin VFS libraries etc.
(2). Allow a client request on an RPC pipe to be routed to an external process or library.
This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.
Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem. That's what the fix now does.
In the future more restrictions are planned (along with cmocka regression tests) to improve the code quality here.
Ahem. Samba4 implements an Active Directory Domain Controller quite nicely thanks. Amazon use it in their cloud provisioning for customers who don't want to pay Microsoft licensing fees.
As I like to say the Chinese don't understand open source/free software because it's communism and they just don't get it :-).
Please install and use this on all systems. Use it instead of "private browsing" mode.
I'm installing new computers for my family in the UK over Christmas. I'll be putting the link to the new browser prominently in the "programs" bar.
SONOS reads and indexes the music on my NAS. They're announced Amazon Echo integration for next year, so I'm eagerly waiting for that.
Being able to stagger, barely conscious, into the kitchen in the morning and croak "Alexa, play KQED" is *very* useful :-).
The problem with most of these music playing devices (mentioning no names) is that they really, *really* want you to stream your music from the cloud. Bugger that - I have a 24TB NAS with everything I want on it. Don't need to waste bandwidth on cloud streaming thanks very much.
Nope - free as in FSF (GPL etc. etc.). I'm not keen on *any* products using closed, proprietary protocols.
The echo has a 'stop listening' button you can press, after which it stops listening for the wake-word. I guess you either trust Amazon on that or not. Personally I do trust that ( but I also know how to run Wireshark to make sure it's not shipping anything off to the cloud when I've pressed it :-).
People are screwed, control- wise, as soon as they use closed proprietary products and protocols IMHO. Thats why I use Thunderbird with enigmail (gpg plugin) and set it to complain every time I have to send unencrypted mail.
As you can imagine, it complains a lot.
Free software products are the only way for people to regain control from corporations. Use and report bugs in them whenever you can !
Blimey ! You are Charlie Brooker and I claim my five pounds..
Disclosure - I'm a Google employee, but I have no experience with Google Home (haven't even seen a demo :-). I do have an Amazon Echo and bought one for my brother in the UK (which required some shenanigans to get the time zone right :-).
Always-on voice interfaces are game changers. I absolutely *love* the Echo, and will be interested to compare it with Google Home. For a geek like myself, it's like having the Star Trek computer in your house. For the cynics, it's like living in an episode of "Black Mirror" :-). Now the voice interfaces are getting good enough to converse you find that it is a completely natural way of making requests - something that the voice assistants on the phone never managed to do for me.
Personally I think the most successful device will be the one that makes an open platform for third-party developers to interface with easily. Watching how the other people in my house use the Echo is very illuminating. Make no mistake - these things are the PC / phone / tablet replacement for the non-geek person.
Now, where's my jetpack, hoverboard and flying car ? :-).
Add a spelling and grammar filter. Any posts that have bad Grammer or incorrect spelling are automatically rejected - *without telling the poster exactly what the error was* !
That way only people who know how to write coherently can comment. Maybe 'El Reg can do the same to this comment section.
There, problem solved ! Plus it would eliminate 99% of my posts, so that's a bonus..
Best comment on Brexit:
“If you’ve got money, you vote in,” she said, with a bracing certainty. “If you haven’t got money, you vote out.”
The people who voted Brexit don't care about you and your IT jobs. They voted to *punish* you for not sharing the wealth. I can't blame them. Doesn't really matter if it's your fault or not.
Trading Places quote from Eddie Murphy:
"the best way to hurt rich people is by turning them into poor people."
Looks like that's happening. To everyone.
At Sao Paulo Zoo:
It's rare I get a chance to bring this interview (from 2010) up, but this seems the perfect article :-).
When you connect from Mac finder/Windows \\IP-addr\name do you know if it's connecting using WebDAV or SMB ? Enquiring minds want to know...
(and if it is SMB, I might have to ping my friend at SanDisk to see if we can help make it work better and go faster :-). Sounds like a great product !
〉Want to do a raid on that well known felon Mr Winston Kadogo?
Ah, someone else who remembers "Not the Nine o'clock news" :-).
Few of us left these days...
Fantastic article from Alexander Bokovoy on
how this thing was found and fixed !
Best comment I've seen on Infosec "reporting". From Alexander Bokovoy:
"Overall reaction is exactly by throwing content out and concentrating on the messenger. To give you a level of incredible misunderstanding what the content is, here is a quote from 'threatpost.com', a site that is associated with Kaspersky Lab:
"As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services."
The end of the second sentence is all you need to know about infosec news reporting."
The "sniffing the traffic" bit isn't required. Just get the client to connect to you and bobs-yer-uncle ! :-).
You must be on the same network as the client connecting to the AD-DC, but you don't need to be able to sniff any traffic, just be able to spoof the client to connect to you instead of the correct DC.
It's the first protocol-level bug in DCE RPC I'm aware of, and Metze did an amazing job both finding it, working out the implications and creating the required fixes for this. Also many other engineers put in long
Not gonna comment on the "badlock" website, only that it wasn't a Samba Team activity.
> > "Sure no company would ever let her near the levers of power again?"
> You'd be surprised.
> Really, you would.
Yep. Once you reach the CXX level there are never any consequences for your actions. Google the ex-CEO of SGI who became a VP at Microsoft, then back to CEO here in the valley for a good example.
What people don't realize about the HBO "Silicon Valley" TV show is that they have to *tone down* the antics of the VC's and company management. No one would believe the truth here..
Nope - I have a lot of users who haven't forgotten that Samba4 == AD-DC. I fix bugs for them every day :-).
Nothing of what you posted addressed what I said in any way. I am pointing to direct copying of Linux kernel source code under GPLv2 into zfs-on-linux because the code inside the kernel was restricted to GPL-only modules and the ZFS developers wanted to use it. I know little about the NVidia drivers but I very much doubt their developers have been careless enough to do the same sort of thing.
Don't conflate the two issues. The zfs on Linux code is clearly not clean, and I'm amazed Canonical have tried to ignore these problems to sell to commercial customers. If I were a Canonical cloud customer I'd be calling them right now asking them what they hell they thought they were doing putting my business and my customers at legal risk.
Disclosure, I'm on the Board of Directors of Software Freedom Conservancy (SFC).
shows that the ZFS-on-Linux developers copied GPLv2 code from the Linux kernel into their zfs on linux source tree in order to avoid having to use an EXPORT_SYMBOL_GPL function that they needed.
The haven't been careful, or clean in developing this. Details like this *matter*.
Everyone wants ZFS inside Linux. Doing a dirty, careless hack-job that plays fast and loose with the licenses isn't the right way to do this.
Conservancy is doing Canonical a favour by pointing out the folly in what they are doing here (IMHO of course).
> especially because Samba implementation of SMB is not so performant
Utter bollocks. Prove it you anonymous troll. Samba can saturate 10GigE for both read and write, plus we're currently testing multi-channel SMB3 TCP for multiple NIC concurrent performance goodness. I hate 'nony-coward drive-by slagging off like this.
"Edit: wow Samba is an even bigger POS than I realized."
Easy to say - hard to write secure code. If you want to do the things that Samba needs to do on a computer system, you have to have the privileges needed to do so. That means root.
You do realize we continuously test with Coverity static analysis, Codenomicon protocol fuzzers, and work with Linux vendor security Teams to issue CERT alerts when vulnerabilities are found ? I'd hold up Samba security practices as best-in-class against any vendor, Open Source or proprietary.
(From a post I made to email@example.com):
Hmmm. Doesn't look real as far as I can see
(the article is full of hyperbole).
It's got lots of phrases like:
"So, if we have an access to the key.."
"if we’re able to steal those tickets and somehow
insert them into our own system"
"It’s just an account in domain controller
database, so your obviously need access to DC or it’s data."
So looks like a "if we can break the security
then we've broken the security" article :-).
Forgot to address the comment about "Maybe they should have spent their efforts in making it scale better.."
I don't think you have any idea about how much effort we put into making Samba scale, to the point of counting instructions using cachgrind and modifying core algorithms to improve scalability. We have one Samba Team member (Volker) who does this to the point of obsessiveness. I love him for it :-).
Haven't you heard, the pendulum has swung back again, and being in user-space is the new, new hotness - again (see the other recent article on IP-in-userspace performance improvements :-).
for details. Apple are religious zealots about patenting software. Nothing we can do about that. All other vendors had no problems with it.
Here is the link for donations. Thanks !
No I haven't forgotten about the FSF. The FSF hasn't enforced the GPL on their copyrighted material for many years. Last time they did that was when Bradley Kuhn (who now works at Conservancy) worked there. Since he left they haven't done enforcement (are you seeing a pattern here ?).
Thanks for highlighting this (disclosure, I'm on the Conservancy Board of Directors).
Conservancy is the only organization doing GPL compliance work in the USA. Not only that, they do it in a reasonable and non-confrontational way:
But lots of corporations really don't like GPL compliance, to the extent of putting financial and political pressure on Conservancy for doing it at all. If we developers want the license enforced, we'll have to donate and fund it ourselves. Please help !
It takes care of all this for you.. Seriously, it's very nice for C code. Makes something as complex as Samba even possible.
You can be a murderous paedophile and the police and security services will move heaven and earth to protect you and keep you in parliament (especially if you have royal friends).
But publish "secret" information that embarrasses them and their rage and vindictiveness knows no bounds, as poor Julian will eventually find out.
As "terrorists and extortionists."
Utter shits, who find zero day exploits and refuse to disclose them to the creators of the software but sell them to others instead.
I can't be bothered to download their crap, can anyone tell me if they have contracts that explicitly prohibit licensees from disclosing the vulnerabilities to the actual authors of the software ? Other similar companies (let's hope you get hacked too, you disgraceful bastards) have such clauses. I remember knowing about a vulnerability because of one of these companies, but being unable to fix it for a while because of these contracts. We eventually figured it out.
As a Free Software author myself, this makes my blood boil.
AC wrote: "once that happens you will be stacking shelves..."
Hahahahaha ! Consequences for their actions ? Clearly you must live in a different silicon valley than I do.
Lookup "Rick Belluzzo" for the perfect example of a Silicon Valley CEO. They make the banksters look honest :-).
Biting the hand that feeds IT © 1998–2018