Vulnerabilities > CVE-2006-1059 - Local Information Disclosure vulnerability in Samba Machine Trust Account
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The winbindd daemon in Samba 3.0.21 to 3.0.21c writes the machine trust account password in cleartext in log files, which allows local users to obtain the password and spoof the server in the domain.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Nessus
NASL family Misc. NASL id SAMBA_LOCAL_INFO_DISCLOSURE.NASL description According to its version number, the remote Samba server is affected by a flaw that may allow a local attacker to get access to the passwords sent to the winbindd daemon if the debug level has been set to 5 or higher. last seen 2020-06-01 modified 2020-06-02 plugin id 24684 published 2007-02-22 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24684 title Samba winbindd Debug Log Server Credentials Local Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24684); script_version("1.15"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2006-1059"); script_bugtraq_id(17314); script_name(english:"Samba winbindd Debug Log Server Credentials Local Disclosure"); script_summary(english:"Checks the version of Samba"); script_set_attribute(attribute:"synopsis", value: "The remote Samba server is vulnerable to a local information disclosure flaw."); script_set_attribute(attribute:"description", value: "According to its version number, the remote Samba server is affected by a flaw that may allow a local attacker to get access to the passwords sent to the winbindd daemon if the debug level has been set to 5 or higher."); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/429370/100/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2006-1059.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Samba 3.0.22 or set the debug level to a value lower than 5."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("smb_nativelanman.nasl"); script_require_keys("SMB/NativeLanManager", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { if(ereg(pattern:"Samba 3\.0\.21($|[a-c]$)", string:lanman)) security_note(get_kb_item("SMB/transport")); }NASL family Fedora Local Security Checks NASL id FEDORA_2006-259.NASL description --------------------------------------------------------------------- - Thu Mar 30 2006 Jay Fenlason <fenlason at redhat.com> 2.0.21c-1.fc5 - New upstream version, fixing bz#187170 CVE-2005-1059 Samba clear text password exposure - include gnutls-devel in BuildRequires Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21169 published 2006-04-03 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21169 title Fedora Core 5 : samba-3.0.22-1.fc5 (2006-259) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-259. # include("compat.inc"); if (description) { script_id(21169); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2006-1059"); script_xref(name:"FEDORA", value:"2006-259"); script_name(english:"Fedora Core 5 : samba-3.0.22-1.fc5 (2006-259)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "--------------------------------------------------------------------- - Thu Mar 30 2006 Jay Fenlason <fenlason at redhat.com> 2.0.21c-1.fc5 - New upstream version, fixing bz#187170 CVE-2005-1059 Samba clear text password exposure - include gnutls-devel in BuildRequires Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2006-March/001962.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b6213f30" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:samba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:samba-swat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/04/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"samba-3.0.22-1.fc5")) flag++; if (rpm_check(release:"FC5", reference:"samba-client-3.0.22-1.fc5")) flag++; if (rpm_check(release:"FC5", reference:"samba-common-3.0.22-1.fc5")) flag++; if (rpm_check(release:"FC5", reference:"samba-debuginfo-3.0.22-1.fc5")) flag++; if (rpm_check(release:"FC5", reference:"samba-swat-3.0.22-1.fc5")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-debuginfo / samba-swat"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_92FD40EBC45811DA9C7900123FFE8333.NASL description Samba Security Advisory : The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding domain users and groups. The winbindd daemon writes the clear text of server last seen 2020-06-01 modified 2020-06-02 plugin id 21476 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21476 title FreeBSD : samba -- Exposure of machine account credentials in winbind log files (92fd40eb-c458-11da-9c79-00123ffe8333)
References
- http://secunia.com/advisories/19455
- http://secunia.com/advisories/19468
- http://secunia.com/advisories/19539
- http://securitytracker.com/id?1015850
- http://us1.samba.org/samba/security/CAN-2006-1059.html
- http://www.osvdb.org/24263
- http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00114.html
- http://www.securityfocus.com/archive/1/429370/100/0/threaded
- http://www.securityfocus.com/bid/17314
- http://www.trustix.org/errata/2006/0018
- http://www.vupen.com/english/advisories/2006/1179
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25575