CVE-2010-0926
Published: 10 March 2010
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
Notes
| Author | Note |
|---|---|
| mdeslaur | In a default samba configuration, both the unix extensions and the wide links options are on by default. Unix extensions gives extra capabilities to UNIX clients, including symlink support. If a client connects and uses UNIX capabilities, symlinks are sent as-is by the server and are handled by the client. If the client doesn't support UNIX extensions, the server will resolve the symlink and send the actual file it links to. Wide links tells the samba server to follow symlinks even if they point outside the shared directory. The combination of these two parameters can be exploited in the following way: - Unix client creates a new symlink to / - Windows client can then enter the directory pointed to by the symlink as it is followed server-side and read any file from the server's filesystem, if DAC permissions allow it. There is no simple way to fix this issue without possible breaking existing configurations. Leaving it unfixed results in server admins inadvertantly sharing the whole server filesystem. Fixing it results in breaking configurations where a samba share contains symlinks that point outside of the shared directory. The upstream patch changes samba behaviour in that the "wide links" option will get disabled automatically if "UNIX permissions" is enabled. A warning will be issued in the server's log file, which will help diagnose the problem PoC: http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html |
Priority
