Vigil@nce: Samba, file access via registry shares
January 2009 by Vigil@nce
When the "registry shares" feature is enabled, an authenticated
attacker can access to files located outside shares.
– Gravity: 2/4
– Consequences: data reading, data creation/edition
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 05/01/2009
IMPACTED PRODUCTS
– Fedora
– Samba
– Slackware Linux
DESCRIPTION OF THE VULNERABILITY
The "registry shares" feature of Samba indicates to use a
configuration stored in a registry. This feature, implemented in
version 3.2.0, can be enabled by:
registry shares = yes
include = registry
config backend = registry
A Samba share has a name like "//servername/sharename".
However, due to an error of "registry share", if the sharename is
empty ("//servername/"), the user accesses to the root file system
("/"), instead of being restricted to the shared directory.
When the "registry shares" feature is enabled, an authenticated
attacker can therefore access to files located outside shares. The
access is done with user’s rights.
CHARACTERISTICS
– Identifiers: BID-33118, CVE-2009-0022, FEDORA-2009-0160,
FEDORA-2009-0268, SSA:2009-005-01, VIGILANCE-VUL-8367
– Url: http://vigilance.fr/vulnerability/Samba-file-access-via-registry-shares-8367