Vigil@nce: Samba, exiting the root directory
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
In the default writable share configuration, Samba allows the
creation of symbolic links pointing outside the shared root.
Severity: 2/4
Consequences: data reading, data creation/edition, data deletion
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/02/2010
IMPACTED PRODUCTS
– Samba
DESCRIPTION OF THE VULNERABILITY
The Samba service has several configuration directives:
– writable : the SMB/CIFS share is writable (disabled by default)
– unix extensions: Unix extensions, such as the symbolic link
creation, are allowed (enabled by default)
– wide links: symbolic links pointing outside the share root
directory are allowed (enabled by default)
– etc.
When the administrator enables "writable", but without disabling
"unix extensions" nor "wide links", an authenticated attacker can
thus create a symbolic link pointing outside the share root.
In this configuration, the attacker can therefore read or edit
files located outside the share root.
CHARACTERISTICS
Identifiers: BID-38111, VIGILANCE-VUL-9413
http://vigilance.fr/vulnerability/Samba-exiting-the-root-directory-9413