Samba Symlink Traversal Arbitrary File Access (unsafe check)

high Nessus Plugin ID 44406

Synopsis

The remote file server is prone to a symlink attack.

Description

The remote Samba server is configured insecurely and allows a remote attacker to gain read or possibly write access to arbitrary files on the affected host. Specifically, if an attacker has a valid Samba account for a share that is writable or there is a writable share that is configured to be a guest account share, he can create a symlink using directory traversal sequences and gain access to files and directories outside that share.

Note that successful exploitation requires that the Samba server's 'wide links' parameter be set to 'yes', which is the default.

Solution

Set 'wide links = no' in the [global] section of smbd.conf.

See Also

https://seclists.org/fulldisclosure/2010/Feb/99

https://www.youtube.com/watch?v=NN50RtZ2N74

https://www.samba.org/samba/news/symlink_attack.html

Plugin Details

Severity: High

ID: 44406

File Name: samba_symlink_dir_traversal.nasl

Version: 1.22

Type: local

Family: Misc.

Published: 2/8/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:samba:samba

Required KB Items: SMB/samba

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2/4/2010

Reference Information

CVE: CVE-2010-0926

BID: 38111

CWE: 22

Secunia: 38454