ID CVE-2010-0926
Summary The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
References
Vulnerable Configurations
  • Samba 3.3.9
    cpe:2.3:a:samba:samba:3.3.9
  • Samba 3.3.8
    cpe:2.3:a:samba:samba:3.3.8
  • Samba 3.3.7
    cpe:2.3:a:samba:samba:3.3.7
  • Samba 3.3.6
    cpe:2.3:a:samba:samba:3.3.6
  • Samba 3.3.5
    cpe:2.3:a:samba:samba:3.3.5
  • Samba 3.3.4
    cpe:2.3:a:samba:samba:3.3.4
  • Samba 3.3.3
    cpe:2.3:a:samba:samba:3.3.3
  • Samba 3.3.2
    cpe:2.3:a:samba:samba:3.3.2
  • Samba 3.3.10
    cpe:2.3:a:samba:samba:3.3.10
  • Samba 3.3.1
    cpe:2.3:a:samba:samba:3.3.1
  • Samba 3.3.0
    cpe:2.3:a:samba:samba:3.3.0
  • Samba 3.4.5
    cpe:2.3:a:samba:samba:3.4.5
  • Samba 3.4.4
    cpe:2.3:a:samba:samba:3.4.4
  • Samba 3.4.3
    cpe:2.3:a:samba:samba:3.4.3
  • Samba 3.4.2
    cpe:2.3:a:samba:samba:3.4.2
  • Samba 3.4.1
    cpe:2.3:a:samba:samba:3.4.1
  • Samba 3.4.0
    cpe:2.3:a:samba:samba:3.4.0
  • Samba 3.5.0
    cpe:2.3:a:samba:samba:3.5.0
CVSS
Base: 3.5 (as of 10-03-2010 - 18:58)
Impact:
Exploitability:
CWE CWE-22
CAPEC
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
  • description Samba 3.4.5 Symlink Directory Traversal Vulnerability (2). CVE-2010-0926. Remote exploit for linux platform
    id EDB-ID:33599
    last seen 2016-02-03
    modified 2010-02-04
    published 2010-02-04
    reporter kingcope
    source https://www.exploit-db.com/download/33599/
    title Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability C
  • description Samba 3.4.5 Symlink Directory Traversal Vulnerability. CVE-2010-0926. Remote exploit for linux platform
    id EDB-ID:33598
    last seen 2016-02-03
    modified 2010-02-04
    published 2010-02-04
    reporter kingcope
    source https://www.exploit-db.com/download/33598/
    title Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability Metasploit
  • description Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory. CVE-2017-2619. Remote exploit for Multiple platform
    file exploits/multiple/remote/41740.txt
    id EDB-ID:41740
    last seen 2017-03-27
    modified 2017-03-27
    platform multiple
    port
    published 2017-03-27
    reporter Exploit-DB
    source https://www.exploit-db.com/download/41740/
    title Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
    type remote
metasploit via4
description This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
id MSF:AUXILIARY/ADMIN/SMB/SAMBA_SYMLINK_TRAVERSAL
last seen 2019-03-18
modified 2018-07-12
published 2010-02-05
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/smb/samba_symlink_traversal.rb
title Samba Symlink Directory Traversal
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0313.NASL
    description From Red Hat Security Advisory 2012:0313 : Updated samba packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. The default Samba server configuration enabled both the 'wide links' and 'unix extensions' options, allowing Samba clients with write access to a share to create symbolic links that point to any location on the file system. Clients connecting with CIFS UNIX extensions disabled could have such links resolved on the server, allowing them to access and possibly overwrite files outside of the share. With this update, 'wide links' is set to 'no' by default. In addition, the update ensures 'wide links' is disabled for shares that have 'unix extensions' enabled. (CVE-2010-0926) Warning: This update may cause files and directories that are only linked to Samba shares using symbolic links to become inaccessible to Samba clients. In deployments where support for CIFS UNIX extensions is not needed (such as when files are exported to Microsoft Windows clients), administrators may prefer to set the 'unix extensions' option to 'no' to allow the use of symbolic links to access files out of the shared directories. All existing symbolic links in a share should be reviewed before re-enabling 'wide links'. These updated samba packages also fix the following bug : * The smbclient tool sometimes failed to return the proper exit status code. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status. (BZ#768908) In addition, these updated samba packages provide the following enhancement : * With this update, support for Windows Server 2008 R2 domains has been added. (BZ#736124) Users are advised to upgrade to these updated samba packages, which correct these issues and add this enhancement. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68484
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68484
    title Oracle Linux 5 : samba (ELSA-2012-0313)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-918-1.NASL
    description It was discovered the Samba handled symlinks in an unexpected way when both 'wide links' and 'UNIX extensions' were enabled, which is the default. A remote attacker could create symlinks and access arbitrary files from the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 45343
    published 2010-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45343
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : samba vulnerability (USN-918-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0313.NASL
    description Updated samba packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. The default Samba server configuration enabled both the 'wide links' and 'unix extensions' options, allowing Samba clients with write access to a share to create symbolic links that point to any location on the file system. Clients connecting with CIFS UNIX extensions disabled could have such links resolved on the server, allowing them to access and possibly overwrite files outside of the share. With this update, 'wide links' is set to 'no' by default. In addition, the update ensures 'wide links' is disabled for shares that have 'unix extensions' enabled. (CVE-2010-0926) Warning: This update may cause files and directories that are only linked to Samba shares using symbolic links to become inaccessible to Samba clients. In deployments where support for CIFS UNIX extensions is not needed (such as when files are exported to Microsoft Windows clients), administrators may prefer to set the 'unix extensions' option to 'no' to allow the use of symbolic links to access files out of the shared directories. All existing symbolic links in a share should be reviewed before re-enabling 'wide links'. These updated samba packages also fix the following bug : * The smbclient tool sometimes failed to return the proper exit status code. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status. (BZ#768908) In addition, these updated samba packages provide the following enhancement : * With this update, support for Windows Server 2008 R2 domains has been added. (BZ#736124) Users are advised to upgrade to these updated samba packages, which correct these issues and add this enhancement. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 58067
    published 2012-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58067
    title RHEL 5 : samba (RHSA-2012:0313)
  • NASL family Misc.
    NASL id SAMBA_SYMLINK_DIR_TRAVERSAL.NASL
    description The remote Samba server is configured insecurely and allows a remote attacker to gain read or possibly write access to arbitrary files on the affected host. Specifically, if an attacker has a valid Samba account for a share that is writable or there is a writable share that is configured to be a guest account share, he can create a symlink using directory traversal sequences and gain access to files and directories outside that share. Note that successful exploitation requires that the Samba server's 'wide links' parameter be set to 'yes', which is the default.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 44406
    published 2010-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44406
    title Samba Symlink Traversal Arbitrary File Access (unsafe check)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_CIFS-MOUNT-100312.NASL
    description With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547).
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 45340
    published 2010-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45340
    title openSUSE Security Update : cifs-mount (cifs-mount-2128)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-6920.NASL
    description With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that. (CVE-2010-0547)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 45471
    published 2010-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45471
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 6920)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12595.NASL
    description With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that. (CVE-2010-0547)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 45453
    published 2010-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45453
    title SuSE9 Security Update : Samba (YOU Patch Number 12595)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-6921.NASL
    description With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that. (CVE-2010-0547)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 49834
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49834
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 6921)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CIFS-MOUNT-100312.NASL
    description With enabled 'wide links' Samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that. (CVE-2010-0547)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 45130
    published 2010-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45130
    title SuSE 11 Security Update : Samba (SAT Patch Number 2126)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_CIFS-MOUNT-100312.NASL
    description With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547).
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 45339
    published 2010-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45339
    title openSUSE Security Update : cifs-mount (cifs-mount-2128)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_CIFS-MOUNT-100315.NASL
    description With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf. Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547).
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 45341
    published 2010-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45341
    title openSUSE Security Update : cifs-mount (cifs-mount-2128)
redhat via4
advisories
bugzilla
id 562568
title default
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • OR
    • AND
      • comment libsmbclient is earlier than 0:3.0.33-3.37.el5
        oval oval:com.redhat.rhsa:tst:20120313012
      • comment libsmbclient is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100488023
    • AND
      • comment libsmbclient-devel is earlier than 0:3.0.33-3.37.el5
        oval oval:com.redhat.rhsa:tst:20120313006
      • comment libsmbclient-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100488025
    • AND
      • comment samba is earlier than 0:3.0.33-3.37.el5
        oval oval:com.redhat.rhsa:tst:20120313002
      • comment samba is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070061003
    • AND
      • comment samba-client is earlier than 0:3.0.33-3.37.el5
        oval oval:com.redhat.rhsa:tst:20120313008
      • comment samba-client is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070061009
    • AND
      • comment samba-common is earlier than 0:3.0.33-3.37.el5
        oval oval:com.redhat.rhsa:tst:20120313010
      • comment samba-common is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070061005
    • AND
      • comment samba-swat is earlier than 0:3.0.33-3.37.el5
        oval oval:com.redhat.rhsa:tst:20120313004
      • comment samba-swat is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070061007
rhsa
id RHSA-2012:0313
released 2012-02-21
severity Low
title RHSA-2012:0313: samba security, bug fix, and enhancement update (Low)
rpms
  • libsmbclient-0:3.0.33-3.37.el5
  • libsmbclient-devel-0:3.0.33-3.37.el5
  • samba-0:3.0.33-3.37.el5
  • samba-client-0:3.0.33-3.37.el5
  • samba-common-0:3.0.33-3.37.el5
  • samba-swat-0:3.0.33-3.37.el5
refmap via4
confirm
fulldisc
  • 20100204 Re: Samba Remote Zero-Day Exploit
  • 20100204 Samba Remote Zero-Day Exploit
  • 20100205 Re: Samba Remote Zero-Day Exploit
misc http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html
mlist
  • [oss-security] 20100205 Re: Samba symlink 0day flaw
  • [oss-security] 20100205 Samba symlink 0day flaw
  • [oss-security] 20100206 Re: Samba symlink 0day flaw
  • [oss-security] 20100305 Re: Samba symlink 0day flaw
  • [samba-technical] 20100205 Claimed Zero Day exploit in Samba.
  • [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba.
  • [samba-technical] 20100205 re: Claimed Zero Day exploit in Samba.
  • [samba-technical] 20100206 Re: Claimed Zero Day exploit in Samba.
  • [samba-technical] 20100207 Re: Claimed Zero Day exploit in Samba.
secunia 39317
suse
  • SUSE-SR:2010:008
  • SUSE-SR:2010:014
Last major update 09-09-2010 - 01:40
Published 10-03-2010 - 15:13
Back to Top