Vulnerabilities > CVE-2001-0406 - Unspecified vulnerability in Samba

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
samba
nessus
exploit available

Summary

Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient.

Exploit-Db

descriptionSamba 2.0.x Insecure TMP file Symbolic Link Vulnerability. CVE-2001-0406. Local exploit for linux platform
idEDB-ID:20776
last seen2016-02-02
modified2001-04-17
published2001-04-17
reporterGabriel Maggiotti
sourcehttps://www.exploit-db.com/download/20776/
titleSamba 2.0.x Insecure TMP file Symbolic Link Vulnerability

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-048.NASL
    descriptionMarcus Meissner discovered that samba was not creating temporary files safely in two places : - when a remote user queried a printer queue samba would create a temporary file in which the queue data would be written. This was being done using a predictable filename, and insecurely, allowing a local attacker to trick samba into overwriting arbitrary files. - smbclient
    last seen2020-06-01
    modified2020-06-02
    plugin id14885
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14885
    titleDebian DSA-048-3 : samba
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-048. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14885);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2001-0406");
      script_bugtraq_id(2617);
      script_xref(name:"DSA", value:"048");
    
      script_name(english:"Debian DSA-048-3 : samba");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Marcus Meissner discovered that samba was not creating temporary
     files safely in two places :
    
      - when a remote user queried a printer queue samba would
        create a temporary file in which the queue data would be
        written. This was being done using a predictable
        filename, and insecurely, allowing a local attacker to
        trick samba into overwriting arbitrary files.
      - smbclient 'more' and 'mput' commands also created
        temporary files in /tmp insecurely.
    
    Both problems have been fixed in version 2.0.7-3.2, and we recommend
    that you upgrade your samba package immediately. (This problem is also
    fixed in the Samba 2.2 codebase.)
    
    
    Note: DSA-048-1 included an incorrectly compiled sparc package, which
    the second edition fixed.
    
    The third edition of the advisory was made because Marc Jacobsen from
    HP discovered that the security fixes from samba 2.0.8 did not fully
    fix the /tmp symlink attack problem. The samba team released version
    2.0.9 to fix that, and those fixes have been added to version
    2.0.7-3.3 of the Debian samba packages."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2001/dsa-048"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected samba package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2001/04/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"samba", reference:"2.0.7-3.3")) flag++;
    if (deb_check(release:"2.2", prefix:"samba-common", reference:"2.0.7-3.3")) flag++;
    if (deb_check(release:"2.2", prefix:"samba-doc", reference:"2.0.7-3.3")) flag++;
    if (deb_check(release:"2.2", prefix:"smbclient", reference:"2.0.7-3.3")) flag++;
    if (deb_check(release:"2.2", prefix:"smbfs", reference:"2.0.7-3.3")) flag++;
    if (deb_check(release:"2.2", prefix:"swat", reference:"2.0.7-3.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2001-040.NASL
    descriptionA vulnerability found by Marcus Meissner exists in Samba where it was not creating temporary files safely which could allow local users to overwrite files that they may not have access to. This happens when a remote user queried a printer queue and samba would create a temporary file in which the queue
    last seen2020-06-01
    modified2020-06-02
    plugin id13860
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13860
    titleMandrake Linux Security Advisory : samba (MDKSA-2001:040-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2001:040. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13860);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2001-0406");
      script_xref(name:"MDKSA", value:"2001:040-1");
    
      script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2001:040-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability found by Marcus Meissner exists in Samba where it was
    not creating temporary files safely which could allow local users to
    overwrite files that they may not have access to. This happens when a
    remote user queried a printer queue and samba would create a temporary
    file in which the queue's data was written. Because Samba created the
    file insecurely and used a predictable filename, a local attacker
    could cause Samba to overwrite files that the attacker did not have
    access to. As well, the smbclient 'more' and 'mput' commands also
    created temporary files insecurely.
    
    The vulnerability is present in Samba 2.0.7 and lower. 2.0.8 and 2.2.0
    correct this behaviour.
    
    Update :
    
    The Samba 2.0.8 release did not entirely fix the temporary file issues
    in previous versions. The Samba team released 2.0.9 recently which
    does fix these problems completely. As well, the 8.0 packages will now
    not attempt to use /root/tmp as the temporary directory, but /var/tmp."
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected samba, samba-client and / or samba-common
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/05/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-2.0.9-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-client-2.0.9-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-common-2.0.9-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-2.0.9-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-client-2.0.9-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-common-2.0.9-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-2.0.9-1.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.0.9-1.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.0.9-1.3mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");