[UNIX] Samba Arbitrary File Access Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

  • Next message: SecuriTeam: "[NEWS] RealPlayer pnen3260.dll Heap Overflow"
    To: list@securiteam.com
    Date: 4 Oct 2004 14:18:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Samba Arbitrary File Access Vulnerability


     <http://www.samba.org/samba> Samba is an Open Source/Free Software suite
    that provides seamless file and print services to SMB/CIFS clients.

    Remote exploitation of an input validation vulnerability in Samba allows
    attackers to access files and directories outside of the specified share


    Vulnerable Systems:
     * Samba versions 3.0.2 up to but not including 3.0.7
     * Sambe versions 2.2.9 up to but not including 2.2.12

    Immune Systems:
     * Samba versions 3.0.7 and 2.2.12

    CVE Information:

    Each file and directory name passed into Samba is converted and checked
    with the functions unix_convert() and check_name(). The main purpose of
    the unix_convert() routine is to convert names from the DOS namespace to
    Unix namespace. It calls unix_clean_name(), which in turn removes double
    slashes, leading './' characters and '..' directory-traversal characters.
    check_name() does any final checks necessary to confirm the validity of
    the converted filename and calls reduce_name(), which in turn calls
    unix_clean_name() for a second time. The end result allows for an attacker
    to specify the realpath of any file on the computer.

    /./////etc is passed to unix_clean_name(). It becomes /.///etc. The
    leading slash is then trimmed off to make .///etc. It is then passed to
    unix_clean_name() again. The resulting string is /etc, which is an
    absolute path on the system.

    Successful exploitation allows remote attackers to bypass the specified
    share restrictions to gain read, write and list access to files and
    directories under the privileges of the user. In situations where a public
    share is available, the attack can be performed by unauthenticated

    An attacker does not need exploit code to exploit this vulnerability. The
    smbclient program can be used to request/write/list files using the "get",
    "put" and "dir" commands, respectively.

    Vendor Status:
    Upgrade to the listed versions of Samba which are immune to this problem.

    The patch for Samba 2.x can be found at
    The patch for Samba 3.x can be found at

    Disclosure Timeline
    09/22/2004 Initial vendor notification
    09/22/2004 iDEFENSE clients notified
    09/22/2004 Initial vendor response
    09/30/2004 Coordinated public disclosure


    The information has been provided by
    <mailto:customerservice@idefense.com> iDEFENSE Security Advisory.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] RealPlayer pnen3260.dll Heap Overflow"