Vulnerabilities > CVE-2001-1162 - Remote Arbitrary File Creation vulnerability in Samba
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Directory traversal vulnerability in the %m macro in the smb.conf configuration file in Samba before 2.2.0a allows remote attackers to overwrite certain files via a .. in a NETBIOS name, which is used as the name for a .log file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 | |
| Application | 2 |
Exploit-Db
| description | Samba 2.0.x/2.2 Remote Arbitrary File Creation Vulnerability. CVE-2001-1162. Remote exploit for unix platform |
| id | EDB-ID:20968 |
| last seen | 2016-02-02 |
| modified | 2001-06-23 |
| published | 2001-06-23 |
| reporter | Michal Zalewski |
| source | https://www.exploit-db.com/download/20968/ |
| title | Samba 2.0.x/2.2 - Remote Arbitrary File Creation Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-065.NASL description Michal Zalewski discovered that Samba does not properly validate NetBIOS names from remote machines. By itself that is not a problem, except if Samba is configured to write log-files to a file that includes the NetBIOS name of the remote side by using the `%m last seen 2020-06-01 modified 2020-06-02 plugin id 14902 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14902 title Debian DSA-065-1 : samba - remote file append/creation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-065. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14902); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-1162"); script_bugtraq_id(2927); script_xref(name:"DSA", value:"065"); script_name(english:"Debian DSA-065-1 : samba - remote file append/creation"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Michal Zalewski discovered that Samba does not properly validate NetBIOS names from remote machines. By itself that is not a problem, except if Samba is configured to write log-files to a file that includes the NetBIOS name of the remote side by using the `%m' macro in the `log file' command. In that case an attacker could use a NetBIOS name like '../tmp/evil'. If the log-file was set to '/var/log/samba/%s' Samba would then write to /var/tmp/evil. Since the NetBIOS name is limited to 15 characters and the `log file' command could have an extension to the filename the results of this are limited. However if the attacker is also able to create symbolic links on the Samba server they could trick Samba into appending any data they want to all files on the filesystem which Samba can write to. The Debian GNU/Linux packaged version of Samba has a safe configuration and is not vulnerable. As temporary workaround for systems that are vulnerable change all occurrences of the `%m' macro in smb.conf to `%l' and restart Samba." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-065" ); script_set_attribute( attribute:"solution", value: "This has been fixed in version 2.0.7-3.4, and we recommend that you upgrade your Samba package immediately." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/06/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/06/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"samba", reference:"2.0.7-3.4")) flag++; if (deb_check(release:"2.2", prefix:"samba-common", reference:"2.0.7-3.4")) flag++; if (deb_check(release:"2.2", prefix:"samba-doc", reference:"2.0.7-3.4")) flag++; if (deb_check(release:"2.2", prefix:"smbclient", reference:"2.0.7-3.4")) flag++; if (deb_check(release:"2.2", prefix:"smbfs", reference:"2.0.7-3.4")) flag++; if (deb_check(release:"2.2", prefix:"swat", reference:"2.0.7-3.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2001-062.NASL description Michal Zalewski has found a vulnerability in all versions of Samba prior to 2.0.10 where if a client sends an invalid netbios name Samba could be tricked into appending it last seen 2020-06-01 modified 2020-06-02 plugin id 13877 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13877 title Mandrake Linux Security Advisory : samba (MDKSA-2001:062) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2001:062. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13877); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2001-1162"); script_xref(name:"MDKSA", value:"2001:062"); script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2001:062)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Michal Zalewski has found a vulnerability in all versions of Samba prior to 2.0.10 where if a client sends an invalid netbios name Samba could be tricked into appending it's log to files writable by root. This can be very dangerous if combined with a symlink created by a local user. Note that the log files must be specified as %m.log in order for this to work, and Mandrake Linux ships Samba by default using log.%m, thus it is not vulnerable 'out of the box'." ); script_set_attribute( attribute:"see_also", value:"http://us1.samba.org/samba/whatsnew/macroexploit.html" ); script_set_attribute( attribute:"solution", value: "Update the affected samba, samba-client and / or samba-common packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2001/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-2.0.10-1.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-client-2.0.10-1.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-common-2.0.10-1.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-2.0.10-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-client-2.0.10-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-common-2.0.10-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-2.0.10-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.0.10-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.0.10-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gain a shell remotely NASL id SAMBA_ARBITRARY_FILE_CREATION.NASL description The remote Samba server, according to its version number, allows creation of arbitrary remote files. This vulnerability allows an attacker to overwrite arbitrary files by supplying an arbitrarily formed NetBIOS machine name to this server, and to potentially become root on the remote server. An attacker does not need any privileges to exploit this flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 10786 published 2001-10-17 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10786 title Samba NETBIOS Name Traversal Arbitrary Remote File Creation code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10786); script_version ("1.19"); script_cve_id("CVE-2001-1162"); script_bugtraq_id(2928); script_name(english: "Samba NETBIOS Name Traversal Arbitrary Remote File Creation"); script_set_attribute(attribute:"synopsis", value: "Arbitrary files may be overwritten on the remote server." ); script_set_attribute(attribute:"description", value: "The remote Samba server, according to its version number, allows creation of arbitrary remote files. This vulnerability allows an attacker to overwrite arbitrary files by supplying an arbitrarily formed NetBIOS machine name to this server, and to potentially become root on the remote server. An attacker does not need any privileges to exploit this flaw." ); script_set_attribute(attribute:"solution", value: "Upgrade to Samba 2.0.10 or 2.2.0a" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2001/10/17"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/06/23"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_summary(english: "checks samba version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); script_family(english: "Gain a shell remotely"); script_dependencie("smb_nativelanman.nasl"); script_require_keys("SMB/NativeLanManager"); exit(0); } # # The script code starts here # lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { if(ereg(pattern:"Samba 2\.0\.[5-9][^0-9]*$", string:lanman))security_hole(139); if(ereg(pattern:"Samba 2\.2\.0$", string:lanman))security_hole(139); }
Redhat
| advisories |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20011002-01-P
- http://ciac.llnl.gov/ciac/bulletins/l-105.shtml
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000405
- http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-027-01
- http://us1.samba.org/samba/whatsnew/macroexploit.html
- http://www.calderasystems.com/support/security/advisories/CSSA-2001-024.0.txt
- http://www.debian.org/security/2001/dsa-065
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-062.php3
- http://www.redhat.com/support/errata/RHSA-2001-086.html
- http://www.securityfocus.com/advisories/3423
- http://www.securityfocus.com/archive/1/193027
- http://www.securityfocus.com/bid/2928
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6731