Hello Paul, First and foremost I did not know about the configuration setting which closes the bug when i posted the advisory. So this was my mistake. But for the most servers which are not entirely hardened (and my assumption is that this applies to many servers in internal networks) the traversal can be a serious issue, because a samba user (even nobody) can create the symlinks. It would in my point of view be more secure to only allow administrators to create symlinks as it is intended. Again I might be wrong with this thought. I first audited Windows Server 2008 for the new SMB2 hardlinking features. Symlinking on a windows server is possible but only when the remotely logged in account is the Administrator. Creating symlinks to paths outside the directory of the given share is not possible. However accessing a symlink in a directory which points to for example c:\ is possible. I don't say that because Samba should have the same semnatics as Windows, but because it's implemetation of handling remote to local and local to remote symbolic links is more secure. After failing in auditing the Windows servers on the potential vulnerabilites I just gave samba a try and the default configuration of my Ubuntu Desktop System and CentOS Server allowed me to conduct the attack out of the box. Turning off symlink support in samba closes the hole but then no access to symlinks created by the administrator is possible or am I wrong? With Respect, Kingcope Am Samstag, den 06.02.2010, 09:43 +1100 schrieb paul.szabo@xxxxxxxxxxxxx: > Dear Dan, > > > The bug here is that out-of-path symlinks are remotely writable. ... > > You mean "creatable". > > > ... the fact that he can *generate* the symlink breaks ... > > Nothing breaks if the admin sets "wide links = no" for that share: the > link is not followed. > > > But Samba supports dropping a user into a path ... > > I never noticed such support documented: references please? > > > ... and it really does need to keep him there. > > You cannot "break out" of shares with "wide links = no". > > > ... Samba is supposed to match Windows semantics in general. > > No please, do not dumb it down. > > Cheers, Paul > > Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia
