CVE-2010-0926

Samba <3.3.11, <3.4.6, <3.5.0rc3 - Path Traversal

Title source: llm

Description

The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

Exploits (3)

exploitdb WORKING POC VERIFIED

by kingcope · rubyremotelinux

https://www.exploit-db.com/exploits/33598

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by kingcope · textremotelinux

https://www.exploit-db.com/exploits/33599

View Code ZIP pw:eip

metasploit WORKING POC

by kcope, hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/smb/samba_symlink_traversal.rb

View Code ZIP pw:eip

References (35)

[Third Party Advisory] http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0083.html

[Third Party Advisory] http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0107.html

[Third Party Advisory] http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0108.html

[Various Sources] http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

[Various Sources] http://gitweb.samba.org/?p=samba.git%3Ba=commit%3Bh=bd269443e311d96ef495a9db47d1b95eb83bb8f4

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html

[Mailing List] http://marc.info/?l=samba-technical&m=126540475116511&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126540477016522&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126540539117328&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126540608318301&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126540695819735&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126547903723628&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126548356728379&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126549111204428&w=2

[Mailing List] http://marc.info/?l=samba-technical&m=126555346721629&w=2

[Vendor Advisory] http://www.samba.org/samba/news/symlink_attack.html

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=562568

[Issue Tracking] https://bugzilla.samba.org/show_bug.cgi?id=7104

[Mailing List] http://www.openwall.com/lists/oss-security/2010/02/06/3

... and 15 more

Scores

EPSS 0.5241

EPSS Percentile 97.9%

Details

CWE

CWE-22

Status published

Products (18)

samba/samba 3.3.0

samba/samba 3.3.1

samba/samba 3.3.2

samba/samba 3.3.3

samba/samba 3.3.4

samba/samba 3.3.5

samba/samba 3.3.6

samba/samba 3.3.7

samba/samba 3.3.8

samba/samba 3.3.9

... and 8 more

Published Mar 10, 2010

Tracked Since Feb 18, 2026