Samba Directory Traversal Vulnerability

vendor:

Windows 95

by:

SecurityFocus

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Windows 95

Affected Version From: Windows 95 build 490.r6

Affected Version To: Windows for Workgroups

Patch Exists: YES

Related CWE: CVE-2002-0392

CPE: o:microsoft:windows_95

Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/, https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/, https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Samba Directory Traversal Vulnerability

A directory traversal vulnerability exists in Microsoft's implementation of the SMB file and print sharing protocol for Windows 95 build 490.r6 and Windows for Workgroups. smbclient normally rejects '/../' sequences in user-supplied pathnames before submitting them to the server. However, a modified client can be made to accept the restricted '/../' sequences, appending these characters to filenames and submitting them as a request to the server. This can lead to the disclosure of security-related information, leaving the host open to further compromise.

Mitigation:

Ensure that all user-supplied input is properly validated and filtered before being passed to the server.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1884/info

Samba is a set of of programs that allow WindowsÂ® clients access to a Unix server's filespace and printers over NetBIOS. A directory traversal vulnerability exists in Microsoft's implementation of the SMB file and print sharing protocol for Windows 95 build 490.r6 and Windows for Workgroups.

smbclient normally rejects '/../' sequences in user-supplied pathnames before submitting them to the server. This prevents an attacker from traversing the server's directory tree and accessing files which would normally be inaccessible.

Because the check for '/../' is peformed by smbclient, the server assumes the client is filtering invalid input. However, a modified client can be made to accept the restricted '/../' sequences, appending these characters to filenames and submitting them as a request to the server.

Since the server leaves this input validation up to the client, once the server is provided with path information which contains '/../', it assumes it to be valid. As a result, a directory traversal becomes possible, granting an attacker access to normally-restricted portions of the host's filesystem. This can lead to the disclosure of security-related information, leaving the host open to further compromise.

Connect to a resource using smbclient. 

Issue commands "cd ../" or "cd ..."