CVE-2010-0926: Path Traversal
First published: Fri Feb 05 2010(Updated: )
Security researcher called "Kingcope" pointed out: [1] <a href="http://seclists.org/fulldisclosure/2010/Feb/82">http://seclists.org/fulldisclosure/2010/Feb/82</a> [2] <a href="http://www.youtube.com/watch?v=NN50RtZ2N74">http://www.youtube.com/watch?v=NN50RtZ2N74</a> and detailed: [3] <a href="http://seclists.org/fulldisclosure/2010/Feb/99">http://seclists.org/fulldisclosure/2010/Feb/99</a> a deficiency in the behaviour of Samba server, providing SMB/CIFS services to the clients. Samba server, in the default configuration, is shipped with configuration file parameter "wide links" set to "yes" ("wide links = yes"). If a local user would first locally create a symbolic link, which target would point to some system sensitive file / directory and link name of this link would be placed into an exported Samba share, with write access for Samba users, this might allow a remote attacker to read, list and retrieve files, behind the target of the symbolic link. Samba upstream review of reasons and impact of this issue: [4] <a href="http://marc.info/?l=samba-technical&m=126539387432412&w=2">http://marc.info/?l=samba-technical&m=126539387432412&w=2</a> As mentioned in [4] the problem "is actually a default insecure configuration in Samba." and "comes from a combination of two features in Samba, each of which on their own are useful to Administrators". Workaround -- to prevent occurrence of this deficiency set: =========================================================== wide links = no in the [global] section of your smb.conf and restart the Samba (smbd) daemon. This will ensure, remote Samba clients will not follow symbolink links, exported in Samba shares, to their target anymore (thus prevent the potential disclosure of sensitive data).
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Samba Samba | =3.3.3 | |
| Samba Samba | =3.4.2 | |
| Samba Samba | =3.4.0 | |
| Samba Samba | =3.3.9 | |
| Samba Samba | =3.4.5 | |
| Samba Samba | =3.3.4 | |
| Samba Samba | =3.3.7 | |
| Samba Samba | =3.4.1 | |
| Samba Samba | =3.3.1 | |
| Samba Samba | =3.3.0 | |
| Samba Samba | =3.3.6 | |
| Samba Samba | =3.5.0 | |
| Samba Samba | =3.3.2 | |
| Samba Samba | =3.4.4 | |
| Samba Samba | =3.4.3 | |
| Samba Samba | =3.3.8 | |
| Samba Samba | =3.3.5 | |
| Samba Samba | =3.3.10 | |
| redhat/samba | <0:3.0.33-3.37.el5 | 0:3.0.33-3.37.el5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0083.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0107.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0108.html
- http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html
- http://gitweb.samba.org/?p=samba.git%3Ba=commit%3Bh=bd269443e311d96ef495a9db47d1b95eb83bb8f4
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- http://marc.info/?l=full-disclosure&m=126538598820903&w=2
- http://marc.info/?l=oss-security&m=126539592603079&w=2
- http://marc.info/?l=oss-security&m=126540402215620&w=2
- http://marc.info/?l=oss-security&m=126540733320471&w=2
- http://marc.info/?l=oss-security&m=126545363428745&w=2
- http://marc.info/?l=oss-security&m=126777580624790&w=2
- http://marc.info/?l=samba-technical&m=126539387432412&w=2
- http://marc.info/?l=samba-technical&m=126540011609753&w=2
- http://marc.info/?l=samba-technical&m=126540100511357&w=2
- http://marc.info/?l=samba-technical&m=126540248613395&w=2
- http://marc.info/?l=samba-technical&m=126540277713815&w=2
- http://marc.info/?l=samba-technical&m=126540290614053&w=2
- http://marc.info/?l=samba-technical&m=126540376915283&w=2
- http://marc.info/?l=samba-technical&m=126540475116511&w=2
- http://marc.info/?l=samba-technical&m=126540477016522&w=2
- http://marc.info/?l=samba-technical&m=126540539117328&w=2
- http://marc.info/?l=samba-technical&m=126540608318301&w=2
- http://marc.info/?l=samba-technical&m=126540695819735&w=2
- http://marc.info/?l=samba-technical&m=126547903723628&w=2
- http://marc.info/?l=samba-technical&m=126548356728379&w=2
- http://marc.info/?l=samba-technical&m=126549111204428&w=2
- http://marc.info/?l=samba-technical&m=126555346721629&w=2
- http://secunia.com/advisories/39317
- http://www.openwall.com/lists/oss-security/2010/02/06/3
- http://www.openwall.com/lists/oss-security/2010/03/05/3
- http://www.samba.org/samba/news/symlink_attack.html
- https://bugzilla.redhat.com/show_bug.cgi?id=562568
- https://bugzilla.samba.org/show_bug.cgi?id=7104
- http://gitweb.samba.org/?p=samba.git;a=commit;h=bd269443e311d96ef495a9db47d1b95eb83bb8f4
- http://seclists.org/fulldisclosure/2010/Feb/82
- http://www.youtube.com/watch?v=NN50RtZ2N74
- http://seclists.org/fulldisclosure/2010/Feb/99
- http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=bd269443e311d96ef495a9db47d1b95eb83bb8f4
- https://access.redhat.com/security/cve/CVE-2010-0926
- http://www.samba.org/samba/history/samba-3.4.6.html
- http://www.samba.org/samba/history/samba-3.5.0.html
- https://rhn.redhat.com/errata/RHSA-2012-0313.html
- https://www.cve.org/CVERecord?id=CVE-2010-0926 https://nvd.nist.gov/vuln/detail/CVE-2010-0926
- https://access.redhat.com/errata/RHSA-2012:0313
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-0926.json
- collector/nvd-historical
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0926
- agent/references
- agent/weakness
- agent/description
- agent/severity
- collector/redhat-cve
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/samba
- canonical/samba samba
- version/samba samba/3.3.3
- version/samba samba/3.4.2
- version/samba samba/3.4.0
- version/samba samba/3.3.9
- version/samba samba/3.4.5
- version/samba samba/3.3.4
- version/samba samba/3.3.7
- version/samba samba/3.4.1
- version/samba samba/3.3.1
- version/samba samba/3.3.0
- version/samba samba/3.3.6
- version/samba samba/3.5.0
- version/samba samba/3.3.2
- version/samba samba/3.4.4
- version/samba samba/3.4.3
- version/samba samba/3.3.8
- version/samba samba/3.3.5
- version/samba samba/3.3.10
- package-manager/redhat