Author: tridge Date: 2010-02-05 14:48:36 -0700 (Fri, 05 Feb 2010) New Revision: 1363
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1363 Log: add response to symlink attack Added: trunk/news/symlink_attack.html Modified: trunk/index.html Changeset: Modified: trunk/index.html =================================================================== --- trunk/index.html 2010-02-01 18:57:40 UTC (rev 1362) +++ trunk/index.html 2010-02-05 21:48:36 UTC (rev 1363) @@ -24,6 +24,12 @@ <h2>Latest News</h2> <!--#include virtual="/samba/news/headlines.html" --> + <h4>5 February 2010</h4> + <p class="headline">Samba response to reported security hole</p> + + <p>The Samba Team has <a href="news/symlink_attack.html">posted a + response</a> to the widely reported symlink attack.</p> + <h4>26 January 2010</h4> <p class="headline">Samba 3.5.0rc2 Available for Download</p> Added: trunk/news/symlink_attack.html =================================================================== --- trunk/news/symlink_attack.html (rev 0) +++ trunk/news/symlink_attack.html 2010-02-05 21:48:36 UTC (rev 1363) @@ -0,0 +1,79 @@ +<!--#include virtual="/samba/header.html" --> + <title>Symlink attack</title> +<!--#include virtual="/samba/header_columns.html" --> + + +<h4>5 February 2010</h4> + <p class="headline">Claimed Zero Day exploit in Samba</p> + +<p>A user named "kcopedarookie" posted what they claim to be a video +of a +zero-day <a href="http://www.youtube.com/watch?v=NN50RtZ2N74&aia=true";>exploit +in Samba</a> on youtube yesterday.</p> + +<p>The video shows modifications to smbclient allowing +/etc/passwd to be downloaded from a remote server.</p> + +<p>The issue is actually a default insecure configuration +in Samba.</p> + +<h5>Quick FAQ: What do I do !</h5> + +<p>Set: +<pre> + wide links = no +</pre> +in the [global] section of your smb.conf and restart +smbd to eliminate this problem.</p> + +<h5>Longer FAQ: The real issue</h5> + +<p>The problem comes from a combination of two features in Samba, each +of which on their own are useful to Administrators, but in combination +allow users to access any file on the system that their logged in +username has permissions to read (this is not a privilege escalation +problem).</p> + +<p>By default Samba ships with the parameter "wide links = yes", which +allows Administrators to locally (on the server) add a symbolic link +inside an exported share which SMB/CIFS clients will follow.</p> + +<p>As an example, given a share definition: +<pre> + [tmp] + path = /tmp + read only = no + guest ok = yes +</pre></p> + +<p>The administrator could add a symlink: + +<pre> + $ ln -s /etc/passwd /tmp/passwd +</pre> + +and SMB/CIFS clients would then see a file called "passwd" within +the [tmp] share that could be read and would allow clients to read +/etc/passwd.</p> + +<p>If the "wide links" parameter is set to "no", any attempt +to read this file will fail with an "access denied" error.</p> + +<p>The problem occurs as Samba allows clients using the UNIX +extensions (which are also turned on by default) to create +symlinks on remotely mounted shares on which they have write +access that point to any path on the file system.</p> + +<p>This is by design, as applications running on UNIX clients may have +good reasons to create symlinks anywhere on the filesystem they have +write access that point to local files (such as /etc/passwd).</p> + +<p>UNIX clients will resolve these links locally, but Windows +clients will resolve them on the server. It is this combination +that causes the problem.</p> + +<p>All future versions of Samba will have the parameter "wide links" +set to "no" by default, and the manual pages will be updated to +explain this issue.</p> + +<!--#include virtual="/samba/footer.html" -->
