Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Samba Remote Zero-Day Exploit
From: Kingcope <kcope2 () googlemail com>
Date: Sat, 06 Feb 2010 00:38:07 +0100

Hello Paul,

First and foremost I did not know about the configuration setting which
closes the bug when i posted the advisory. So this was my mistake.
But for the most servers which are not entirely hardened (and my
assumption is that this applies to many servers in internal networks)
the traversal can be a serious issue, because a samba user (even nobody)
can create the symlinks. It would in my point of view be more secure to
only allow administrators to create symlinks as it is intended.
Again I might be wrong with this thought.
I first audited Windows Server 2008 for the new SMB2 hardlinking
features. Symlinking on a windows server is possible but only when the
remotely logged in account is the Administrator. Creating symlinks to
paths outside the directory of the given share is not possible. However
accessing a symlink in a directory which points to for example c:\
is possible. I don't say that because Samba should have the same
semnatics as Windows, but because it's implemetation of handling remote
to local and local to remote symbolic links is more secure.
After failing in auditing the Windows servers on the potential
vulnerabilites I just gave samba a try and the default configuration
of my Ubuntu Desktop System and CentOS Server allowed me to conduct the
attack out of the box. Turning off symlink support in samba closes the
hole but then no access to symlinks created by the administrator is
possible or am I wrong?

With Respect,

Kingcope

Am Samstag, den 06.02.2010, 09:43 +1100 schrieb
paul.szabo () sydney edu au:
Dear Dan,

The bug here is that out-of-path symlinks are remotely writable. ...

You mean "creatable".

... the fact that he can *generate* the symlink breaks ...

Nothing breaks if the admin sets "wide links = no" for that share: the
link is not followed.

But Samba supports dropping a user into a path ...

I never noticed such support documented: references please?

... and it really does need to keep him there.

You cannot "break out" of shares with "wide links = no".

... Samba is supposed to match Windows semantics in general.

No please, do not dumb it down.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]