CVE-2010-0926

2010-03-1000:00:00

ubuntu.com

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.023 Low

EPSS

Percentile

89.5%

JSON

The default configuration of smbd in Samba before 3.3.11, 3.4.x before
3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows
remote authenticated users to leverage a directory traversal vulnerability,
and access arbitrary files, by using the symlink command in smbclient to
create a symlink containing … (dot dot) sequences, related to the
combination of the unix extensions and wide links options.

Bugs

Notes

Author	Note
mdeslaur	In a default samba configuration, both the unix extensions and the wide links options are on by default. Unix extensions gives extra capabilities to UNIX clients, including symlink support. If a client connects and uses UNIX capabilities, symlinks are sent as-is by the server and are handled by the client. If the client doesn’t support UNIX extensions, the server will resolve the symlink and send the actual file it links to. Wide links tells the samba server to follow symlinks even if they point outside the shared directory. The combination of these two parameters can be exploited in the following way: - Unix client creates a new symlink to / - Windows client can then enter the directory pointed to by the symlink as it is followed server-side and read any file from the server’s filesystem, if DAC permissions allow it. There is no simple way to fix this issue without possible breaking existing configurations. Leaving it unfixed results in server admins inadvertantly sharing the whole server filesystem. Fixing it results in breaking configurations where a samba share contains symlinks that point outside of the shared directory. The upstream patch changes samba behaviour in that the “wide links” option will get disabled automatically if “UNIX permissions” is enabled. A warning will be issued in the server’s log file, which will help diagnose the problem PoC: http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

Author

Note

mdeslaur

In a default samba configuration, both the unix extensions and the wide links options are on by default. Unix extensions gives extra capabilities to UNIX clients, including symlink support. If a client connects and uses UNIX capabilities, symlinks are sent as-is by the server and are handled by the client. If the client doesn’t support UNIX extensions, the server will resolve the symlink and send the actual file it links to. Wide links tells the samba server to follow symlinks even if they point outside the shared directory. The combination of these two parameters can be exploited in the following way: - Unix client creates a new symlink to / - Windows client can then enter the directory pointed to by the symlink as it is followed server-side and read any file from the server’s filesystem, if DAC permissions allow it. There is no simple way to fix this issue without possible breaking existing configurations. Leaving it unfixed results in server admins inadvertantly sharing the whole server filesystem. Fixing it results in breaking configurations where a samba share contains symlinks that point outside of the shared directory. The upstream patch changes samba behaviour in that the “wide links” option will get disabled automatically if “UNIX permissions” is enabled. A warning will be issued in the server’s log file, which will help diagnose the problem PoC: http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchsamba< 3.0.22-1ubuntu3.11UNKNOWN
ubuntu8.04noarchsamba< 3.0.28a-1ubuntu4.11UNKNOWN
ubuntu8.10noarchsamba< 2:3.2.3-1ubuntu3.8UNKNOWN
ubuntu9.04noarchsamba< 2:3.3.2-1ubuntu3.4UNKNOWN
ubuntu9.10noarchsamba< 2:3.4.0-3ubuntu5.6UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	samba	< 3.0.22-1ubuntu3.11	UNKNOWN
ubuntu	8.04	noarch	samba	< 3.0.28a-1ubuntu4.11	UNKNOWN
ubuntu	8.10	noarch	samba	< 2:3.2.3-1ubuntu3.8	UNKNOWN
ubuntu	9.04	noarch	samba	< 2:3.3.2-1ubuntu3.4	UNKNOWN
ubuntu	9.10	noarch	samba	< 2:3.4.0-3ubuntu5.6	UNKNOWN