Samba Insecure "wide links" Default Configuration Weakness

SA38454

CVE-2010-0926

05 Feb 2010

01 Aug 2011

Less Critical

Vendor Patch

Samba 3.x

From local network

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Exposure of system information

Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Kingcope has discovered a weakness in Samba, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information.

The weakness is caused due to the insecure "wide links" option being enabled by default, which allows the creation of symlinks to directories placed outside a writable share. This can be exploited to gain read and write access to restricted directories with the privileges of the e.g. guest account user via directory traversal attacks.

Successful exploitation without authentication requires that a public writable share is exported and that the option "wide links" is set to "yes" (default).

Note: This is partially documented in e.g. the "smb.conf" manual page.

The weakness is confirmed in version 3.4.5. Other versions may also be affected.

Update to version 3.4.6, which includes a fixed default configuration file or manually set the "wide links" option to "no".

Kingcope

Samba:
http://marc.info/?l=samba-technical&m=126539387432412&w=2
https://bugzilla.samba.org/show_bug.cgi?id=7104
http://us1.samba.org/samba/security/CVE-2010-0926.html

Kingcope:
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0083.html