Vigil@nce: Samba, exiting the root directory
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
In the default writable share configuration, Samba allows the creation of symbolic links pointing outside the shared root.
Consequences: data reading, data creation/edition, data deletion
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/02/2010
DESCRIPTION OF THE VULNERABILITY The Samba service has several configuration directives:
writable : the SMB/CIFS share is writable (disabled by default)
unix extensions: Unix extensions, such as the symbolic link creation, are allowed (enabled by default)
wide links: symbolic links pointing outside the share root directory are allowed (enabled by default)
When the administrator enables "writable", but without disabling "unix extensions" nor "wide links", an authenticated attacker can thus create a symbolic link pointing outside the share root.
In this configuration, the attacker can therefore read or edit files located outside the share root.
Identifiers: BID-38111, VIGILANCE-VUL-9413