CVE-2010-0926

The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
samba	9.10 karmic	Fixed 2:3.4.0-3ubuntu5.6
	9.04 jaunty	Fixed 2:3.3.2-1ubuntu3.4
	8.10 intrepid	Fixed 2:3.2.3-1ubuntu3.8
	8.04 LTS hardy	Fixed 3.0.28a-1ubuntu4.11
	6.06 LTS dapper	Fixed 3.0.22-1ubuntu3.11

Notes

mdeslaur

In a default samba configuration, both the unix extensions and the wide links options are on by default. Unix extensions gives extra capabilities to UNIX clients, including symlink support. If a client connects and uses UNIX capabilities, symlinks are sent as-is by the server and are handled by the client. If the client doesn't support UNIX extensions, the server will resolve the symlink and send the actual file it links to. Wide links tells the samba server to follow symlinks even if they point outside the shared directory. The combination of these two parameters can be exploited in the following way: - Unix client creates a new symlink to / - Windows client can then enter the directory pointed to by the symlink as it is followed server-side and read any file from the server's filesystem, if DAC permissions allow it. There is no simple way to fix this issue without possible breaking existing configurations. Leaving it unfixed results in server admins inadvertantly sharing the whole server filesystem. Fixing it results in breaking configurations where a samba share contains symlinks that point outside of the shared directory. The upstream patch changes samba behaviour in that the "wide links" option will get disabled automatically if "UNIX permissions" is enabled. A warning will be issued in the server's log file, which will help diagnose the problem PoC: http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
samba	Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=bd269443e311d96ef495a9db47d1b95eb83bb8f4 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=fac6d5212be3e7159896a9c67e15faa4a557c213 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=94865e4dbd3d721c9855aada8c55e02be8b3881e Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=5d92d969dda450cc3564dd2265d2b042d832c542 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=02a5078f1fe6285e4a0b6ad95a3aea1c5bb3e8cf Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=a6f402ad87ff0ae14d57d97278d67d0ceaaa1d82 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=9fc76f86fa2c60b81ec8afee515bb823a5cd616f Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=9e64c33b7757dd4528a9c8d31d0c0c159a33daf8 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=16e73d88944ce644cccfa19a99338f5903c061f0 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=c1b05ae4febfba1a419eee0d04c3886de9f5fee0 Upstream: http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=ce04bf60499104c166657df959e4033573b5be5c

Package

Patch details

samba

References

Related Ubuntu Security Notices (USN)

USN-918-1
Samba vulnerability
24 March 2010

Status

Notes

Patch details

References

Related Ubuntu Security Notices (USN)

Other references