Vulnerabilities > CVE-2001-0406 - Symbolic Link vulnerability in Samba Insecure TMP file
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 28 |
Exploit-Db
| description | Samba 2.0.x Insecure TMP file Symbolic Link Vulnerability. CVE-2001-0406. Local exploit for linux platform |
| id | EDB-ID:20776 |
| last seen | 2016-02-02 |
| modified | 2001-04-17 |
| published | 2001-04-17 |
| reporter | Gabriel Maggiotti |
| source | https://www.exploit-db.com/download/20776/ |
| title | Samba 2.0.x Insecure TMP file Symbolic Link Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-048.NASL description Marcus Meissner discovered that samba was not creating temporary files safely in two places : - when a remote user queried a printer queue samba would create a temporary file in which the queue data would be written. This was being done using a predictable filename, and insecurely, allowing a local attacker to trick samba into overwriting arbitrary files. - smbclient last seen 2020-06-01 modified 2020-06-02 plugin id 14885 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14885 title Debian DSA-048-3 : samba code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-048. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14885); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-0406"); script_bugtraq_id(2617); script_xref(name:"DSA", value:"048"); script_name(english:"Debian DSA-048-3 : samba"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Marcus Meissner discovered that samba was not creating temporary files safely in two places : - when a remote user queried a printer queue samba would create a temporary file in which the queue data would be written. This was being done using a predictable filename, and insecurely, allowing a local attacker to trick samba into overwriting arbitrary files. - smbclient 'more' and 'mput' commands also created temporary files in /tmp insecurely. Both problems have been fixed in version 2.0.7-3.2, and we recommend that you upgrade your samba package immediately. (This problem is also fixed in the Samba 2.2 codebase.) Note: DSA-048-1 included an incorrectly compiled sparc package, which the second edition fixed. The third edition of the advisory was made because Marc Jacobsen from HP discovered that the security fixes from samba 2.0.8 did not fully fix the /tmp symlink attack problem. The samba team released version 2.0.9 to fix that, and those fixes have been added to version 2.0.7-3.3 of the Debian samba packages." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-048" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected samba package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/04/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"samba", reference:"2.0.7-3.3")) flag++; if (deb_check(release:"2.2", prefix:"samba-common", reference:"2.0.7-3.3")) flag++; if (deb_check(release:"2.2", prefix:"samba-doc", reference:"2.0.7-3.3")) flag++; if (deb_check(release:"2.2", prefix:"smbclient", reference:"2.0.7-3.3")) flag++; if (deb_check(release:"2.2", prefix:"smbfs", reference:"2.0.7-3.3")) flag++; if (deb_check(release:"2.2", prefix:"swat", reference:"2.0.7-3.3")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2001-040.NASL description A vulnerability found by Marcus Meissner exists in Samba where it was not creating temporary files safely which could allow local users to overwrite files that they may not have access to. This happens when a remote user queried a printer queue and samba would create a temporary file in which the queue last seen 2020-06-01 modified 2020-06-02 plugin id 13860 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13860 title Mandrake Linux Security Advisory : samba (MDKSA-2001:040-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2001:040. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13860); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2001-0406"); script_xref(name:"MDKSA", value:"2001:040-1"); script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2001:040-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability found by Marcus Meissner exists in Samba where it was not creating temporary files safely which could allow local users to overwrite files that they may not have access to. This happens when a remote user queried a printer queue and samba would create a temporary file in which the queue's data was written. Because Samba created the file insecurely and used a predictable filename, a local attacker could cause Samba to overwrite files that the attacker did not have access to. As well, the smbclient 'more' and 'mput' commands also created temporary files insecurely. The vulnerability is present in Samba 2.0.7 and lower. 2.0.8 and 2.2.0 correct this behaviour. Update : The Samba 2.0.8 release did not entirely fix the temporary file issues in previous versions. The Samba team released 2.0.9 recently which does fix these problems completely. As well, the 8.0 packages will now not attempt to use /root/tmp as the temporary directory, but /var/tmp." ); script_set_attribute( attribute:"solution", value: "Update the affected samba, samba-client and / or samba-common packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2001/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-2.0.9-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-client-2.0.9-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-common-2.0.9-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-2.0.9-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-client-2.0.9-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-common-2.0.9-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-2.0.9-1.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.0.9-1.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.0.9-1.3mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.neohapsis.com/archives/bugtraq/2001-04/0305.html
- http://archives.neohapsis.com/archives/bugtraq/2001-04/0319.html
- http://archives.neohapsis.com/archives/bugtraq/2001-04/0326.html
- http://archives.neohapsis.com/archives/freebsd/2001-04/0608.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000395
- http://www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt
- http://www.debian.org/security/2001/dsa-048
- http://www.kb.cert.org/vuls/id/670568
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-040.php3
- http://www.securityfocus.com/bid/2617