Samba Server Vulnerability

vendor:

Samba

by:

Project Zero

7,5

CVSS

HIGH

Symlink Race Condition

CWE

Product Name: Samba

Affected Version From: Samba 3.0.0

Affected Version To: Samba 3.6.25

Patch Exists: YES

Related CWE: CVE-2010-0926

CPE: a:samba:samba

Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-smbfileserver-cve-2010-1381/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0313/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2010-0926/, https://www.rapid7.com/db/vulnerabilities/samba-cve-2010-0926/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2010

The Samba server is supposed to only grant access to configured share directories unless 'wide links' are enabled, in which case the server is allowed to follow symlinks. The default (since CVE-2010-0926) is that wide links are disabled. However, smbd ensures that it isn't following symlinks by calling lstat() on every path component. This is racy, as any of the path components - either one of the directories or the file at the end - could be replaced with a symlink by an attacker over a second connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i/j with a symlink to /etc/shadow would allow an attacker to read the shadow file.

Mitigation:

Disable 'wide links' in the Samba configuration.

Source

Samba Server Vulnerability

Mitigation:

Exploit-DB raw data: