svn commit: samba-web r1363 - in trunk: . news
tridge at samba.org
tridge at samba.org
Fri Feb 5 14:48:36 MST 2010
Author: tridge
Date: 2010-02-05 14:48:36 -0700 (Fri, 05 Feb 2010)
New Revision: 1363
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1363
Log:
add response to symlink attack
Added:
trunk/news/symlink_attack.html
Modified:
trunk/index.html
Changeset:
Modified: trunk/index.html
===================================================================
--- trunk/index.html 2010-02-01 18:57:40 UTC (rev 1362)
+++ trunk/index.html 2010-02-05 21:48:36 UTC (rev 1363)
@@ -24,6 +24,12 @@
<h2>Latest News</h2>
<!--#include virtual="/samba/news/headlines.html" -->
+ <h4>5 February 2010</h4>
+ <p class="headline">Samba response to reported security hole</p>
+
+ <p>The Samba Team has <a href="news/symlink_attack.html">posted a
+ response</a> to the widely reported symlink attack.</p>
+
<h4>26 January 2010</h4>
<p class="headline">Samba 3.5.0rc2 Available for Download</p>
Added: trunk/news/symlink_attack.html
===================================================================
--- trunk/news/symlink_attack.html (rev 0)
+++ trunk/news/symlink_attack.html 2010-02-05 21:48:36 UTC (rev 1363)
@@ -0,0 +1,79 @@
+<!--#include virtual="/samba/header.html" -->
+ <title>Symlink attack</title>
+<!--#include virtual="/samba/header_columns.html" -->
+
+
+<h4>5 February 2010</h4>
+ <p class="headline">Claimed Zero Day exploit in Samba</p>
+
+<p>A user named "kcopedarookie" posted what they claim to be a video
+of a
+zero-day <a href="http://www.youtube.com/watch?v=NN50RtZ2N74&aia=true">exploit
+in Samba</a> on youtube yesterday.</p>
+
+<p>The video shows modifications to smbclient allowing
+/etc/passwd to be downloaded from a remote server.</p>
+
+<p>The issue is actually a default insecure configuration
+in Samba.</p>
+
+<h5>Quick FAQ: What do I do !</h5>
+
+<p>Set:
+<pre>
+ wide links = no
+</pre>
+in the [global] section of your smb.conf and restart
+smbd to eliminate this problem.</p>
+
+<h5>Longer FAQ: The real issue</h5>
+
+<p>The problem comes from a combination of two features in Samba, each
+of which on their own are useful to Administrators, but in combination
+allow users to access any file on the system that their logged in
+username has permissions to read (this is not a privilege escalation
+problem).</p>
+
+<p>By default Samba ships with the parameter "wide links = yes", which
+allows Administrators to locally (on the server) add a symbolic link
+inside an exported share which SMB/CIFS clients will follow.</p>
+
+<p>As an example, given a share definition:
+<pre>
+ [tmp]
+ path = /tmp
+ read only = no
+ guest ok = yes
+</pre></p>
+
+<p>The administrator could add a symlink:
+
+<pre>
+ $ ln -s /etc/passwd /tmp/passwd
+</pre>
+
+and SMB/CIFS clients would then see a file called "passwd" within
+the [tmp] share that could be read and would allow clients to read
+/etc/passwd.</p>
+
+<p>If the "wide links" parameter is set to "no", any attempt
+to read this file will fail with an "access denied" error.</p>
+
+<p>The problem occurs as Samba allows clients using the UNIX
+extensions (which are also turned on by default) to create
+symlinks on remotely mounted shares on which they have write
+access that point to any path on the file system.</p>
+
+<p>This is by design, as applications running on UNIX clients may have
+good reasons to create symlinks anywhere on the filesystem they have
+write access that point to local files (such as /etc/passwd).</p>
+
+<p>UNIX clients will resolve these links locally, but Windows
+clients will resolve them on the server. It is this combination
+that causes the problem.</p>
+
+<p>All future versions of Samba will have the parameter "wide links"
+set to "no" by default, and the manual pages will be updated to
+explain this issue.</p>
+
+<!--#include virtual="/samba/footer.html" -->
More information about the samba-cvs
mailing list