Vulnerability in Samba provides access to files
A vulnerability in the creation of symbolic links (symlinks) in the free Samba file and printer server can be exploited to attain access to files outside of predefined paths. Attackers can even get access to the system's root directory (/). To exploit the flaw (directory traversing), attackers first have to have an account on the Samba server that includes write access to at least one share. However, if a share is defined as writeable for guests, the hole can even be exploited remotely without such an account on the server. Under standard settings, no shares are writeable for guests.
Using the link, an attacker can access any file with their current privileges – although anonymous/guest users are limited to the "nobody" account. Because Samba runs with root rights, all data can be read out and modified if the flaw is exploited. To create a specially prepared symlink, you do need a modified SMB client – Nikolaos Rangos (Kingcope), who discovered the flaw, has published a patch – or the module published on the weekend for the Metasploit framework.
The flaw was found in the current Samba 3.4.5 release and previous versions are also affected. The Samba developers have confirmed the flaw, but an update or patch have yet to be released. As a workaround, the developers recommend changing the option wide links under [global] from yes to no (wide links = no) and rebooting the server. According to the description by the Samba team, the flaw occurs because Samba allows symlinks to be created via Unix Extensions in the SMB/CIFS protocol. They therefore plan to have wide links = no as the standard in future versions.
- Samba Remote Zero-Day Exploit, security advisory from Kingcope.
- Exploiting the Samba Symlink Traversal, blog post from Metasploit.org.
- Claimed Zero Day exploit in Samba, security advisory from Samba.org.