[Full-disclosure] Samba Remote Zero-Day Exploit
kcope2 at googlemail.com
Fri Feb 5 23:38:07 GMT 2010
First and foremost I did not know about the configuration setting which
closes the bug when i posted the advisory. So this was my mistake.
But for the most servers which are not entirely hardened (and my
assumption is that this applies to many servers in internal networks)
the traversal can be a serious issue, because a samba user (even nobody)
can create the symlinks. It would in my point of view be more secure to
only allow administrators to create symlinks as it is intended.
Again I might be wrong with this thought.
I first audited Windows Server 2008 for the new SMB2 hardlinking
features. Symlinking on a windows server is possible but only when the
remotely logged in account is the Administrator. Creating symlinks to
paths outside the directory of the given share is not possible. However
accessing a symlink in a directory which points to for example c:\
is possible. I don't say that because Samba should have the same
semnatics as Windows, but because it's implemetation of handling remote
to local and local to remote symbolic links is more secure.
After failing in auditing the Windows servers on the potential
vulnerabilites I just gave samba a try and the default configuration
of my Ubuntu Desktop System and CentOS Server allowed me to conduct the
attack out of the box. Turning off symlink support in samba closes the
hole but then no access to symlinks created by the administrator is
possible or am I wrong?
Am Samstag, den 06.02.2010, 09:43 +1100 schrieb
paul.szabo at sydney.edu.au:
> Dear Dan,
> > The bug here is that out-of-path symlinks are remotely writable. ...
> You mean "creatable".
> > ... the fact that he can *generate* the symlink breaks ...
> Nothing breaks if the admin sets "wide links = no" for that share: the
> link is not followed.
> > But Samba supports dropping a user into a path ...
> I never noticed such support documented: references please?
> > ... and it really does need to keep him there.
> You cannot "break out" of shares with "wide links = no".
> > ... Samba is supposed to match Windows semantics in general.
> No please, do not dumb it down.
> Cheers, Paul
> Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
Full-Disclosure is hosted and sponsored by Secunia.