Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-0926

Published: 10 March 2010

The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

Notes

AuthorNote
mdeslaur
In a default samba configuration, both the unix extensions
and the wide links options are on by default.
Unix extensions gives extra capabilities to UNIX clients, including
symlink support. If a client connects and uses UNIX capabilities,
symlinks are sent as-is by the server and are handled by the client. If
the client doesn't support UNIX extensions, the server will resolve the
symlink and send the actual file it links to.
Wide links tells the samba server to follow symlinks even if they point
outside the shared directory.
The combination of these two parameters can be exploited in the following
way:
- Unix client creates a new symlink to /
- Windows client can then enter the directory pointed to by the symlink
as it is followed server-side and read any file from the server's
filesystem, if DAC permissions allow it.
There is no simple way to fix this issue without possible breaking
existing configurations. Leaving it unfixed results in server admins
inadvertantly sharing the whole server filesystem. Fixing it results
in breaking configurations where a samba share contains symlinks that
point outside of the shared directory.
The upstream patch changes samba behaviour in that the "wide links"
option will get disabled automatically if "UNIX permissions" is enabled.
A warning will be issued in the server's log file, which will help
diagnose the problem
PoC: http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

Priority

Medium

Status

Package Release Status
samba
Launchpad, Ubuntu, Debian
upstream
Released (3.4.6)
dapper
Released (3.0.22-1ubuntu3.11)
hardy
Released (3.0.28a-1ubuntu4.11)
intrepid
Released (2:3.2.3-1ubuntu3.8)
jaunty
Released (2:3.3.2-1ubuntu3.4)
karmic
Released (2:3.4.0-3ubuntu5.6)
Patches:
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=bd269443e311d96ef495a9db47d1b95eb83bb8f4 (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=fac6d5212be3e7159896a9c67e15faa4a557c213 (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=94865e4dbd3d721c9855aada8c55e02be8b3881e (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=5d92d969dda450cc3564dd2265d2b042d832c542 (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=02a5078f1fe6285e4a0b6ad95a3aea1c5bb3e8cf (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=a6f402ad87ff0ae14d57d97278d67d0ceaaa1d82 (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=9fc76f86fa2c60b81ec8afee515bb823a5cd616f (head)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=9e64c33b7757dd4528a9c8d31d0c0c159a33daf8 (3.4.x)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=16e73d88944ce644cccfa19a99338f5903c061f0 (3.4.x)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=c1b05ae4febfba1a419eee0d04c3886de9f5fee0 (3.3.x)
upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=ce04bf60499104c166657df959e4033573b5be5c (3.3.x)