Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-0926

Publication date 10 March 2010

Last updated 24 July 2024


Ubuntu priority

The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

Read the notes from the security team

Status

Package Ubuntu Release Status
samba 9.10 karmic
Fixed 2:3.4.0-3ubuntu5.6
9.04 jaunty
Fixed 2:3.3.2-1ubuntu3.4
8.10 intrepid
Fixed 2:3.2.3-1ubuntu3.8
8.04 LTS hardy
Fixed 3.0.28a-1ubuntu4.11
6.06 LTS dapper
Fixed 3.0.22-1ubuntu3.11

Notes


mdeslaur

In a default samba configuration, both the unix extensions and the wide links options are on by default. Unix extensions gives extra capabilities to UNIX clients, including symlink support. If a client connects and uses UNIX capabilities, symlinks are sent as-is by the server and are handled by the client. If the client doesn't support UNIX extensions, the server will resolve the symlink and send the actual file it links to. Wide links tells the samba server to follow symlinks even if they point outside the shared directory. The combination of these two parameters can be exploited in the following way: - Unix client creates a new symlink to / - Windows client can then enter the directory pointed to by the symlink as it is followed server-side and read any file from the server's filesystem, if DAC permissions allow it. There is no simple way to fix this issue without possible breaking existing configurations. Leaving it unfixed results in server admins inadvertantly sharing the whole server filesystem. Fixing it results in breaking configurations where a samba share contains symlinks that point outside of the shared directory. The upstream patch changes samba behaviour in that the "wide links" option will get disabled automatically if "UNIX permissions" is enabled. A warning will be issued in the server's log file, which will help diagnose the problem PoC: http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html