Vulnerabilities > CVE-2001-1162 - Remote Arbitrary File Creation vulnerability in Samba

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
samba
hp
critical
nessus
exploit available

Summary

Directory traversal vulnerability in the %m macro in the smb.conf configuration file in Samba before 2.2.0a allows remote attackers to overwrite certain files via a .. in a NETBIOS name, which is used as the name for a .log file.

Exploit-Db

descriptionSamba 2.0.x/2.2 Remote Arbitrary File Creation Vulnerability. CVE-2001-1162. Remote exploit for unix platform
idEDB-ID:20968
last seen2016-02-02
modified2001-06-23
published2001-06-23
reporterMichal Zalewski
sourcehttps://www.exploit-db.com/download/20968/
titleSamba 2.0.x/2.2 - Remote Arbitrary File Creation Vulnerability

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-065.NASL
    descriptionMichal Zalewski discovered that Samba does not properly validate NetBIOS names from remote machines. By itself that is not a problem, except if Samba is configured to write log-files to a file that includes the NetBIOS name of the remote side by using the `%m
    last seen2020-06-01
    modified2020-06-02
    plugin id14902
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14902
    titleDebian DSA-065-1 : samba - remote file append/creation
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-065. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14902);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2001-1162");
      script_bugtraq_id(2927);
      script_xref(name:"DSA", value:"065");
    
      script_name(english:"Debian DSA-065-1 : samba - remote file append/creation");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Michal Zalewski discovered that Samba does not properly validate
     NetBIOS names from remote machines.
    
    By itself that is not a problem, except if Samba is configured to
    write log-files to a file that includes the NetBIOS name of the remote
    side by using the `%m' macro in the `log file' command. In that case
    an attacker could use a NetBIOS name like '../tmp/evil'. If the
    log-file was set to '/var/log/samba/%s' Samba would then write to
    /var/tmp/evil.
    
    Since the NetBIOS name is limited to 15 characters and the `log file'
    command could have an extension to the filename the results of this
    are limited. However if the attacker is also able to create symbolic
    links on the Samba server they could trick Samba into appending any
    data they want to all files on the filesystem which Samba can write
    to.
    
    The Debian GNU/Linux packaged version of Samba has a safe
    configuration and is not vulnerable.
    
    As temporary workaround for systems that are vulnerable change all
    occurrences of the `%m' macro in smb.conf to `%l' and restart Samba."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2001/dsa-065"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "This has been fixed in version 2.0.7-3.4, and we recommend that you
    upgrade your Samba package immediately."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/06/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2001/06/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"samba", reference:"2.0.7-3.4")) flag++;
    if (deb_check(release:"2.2", prefix:"samba-common", reference:"2.0.7-3.4")) flag++;
    if (deb_check(release:"2.2", prefix:"samba-doc", reference:"2.0.7-3.4")) flag++;
    if (deb_check(release:"2.2", prefix:"smbclient", reference:"2.0.7-3.4")) flag++;
    if (deb_check(release:"2.2", prefix:"smbfs", reference:"2.0.7-3.4")) flag++;
    if (deb_check(release:"2.2", prefix:"swat", reference:"2.0.7-3.4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2001-062.NASL
    descriptionMichal Zalewski has found a vulnerability in all versions of Samba prior to 2.0.10 where if a client sends an invalid netbios name Samba could be tricked into appending it
    last seen2020-06-01
    modified2020-06-02
    plugin id13877
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13877
    titleMandrake Linux Security Advisory : samba (MDKSA-2001:062)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2001:062. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13877);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2001-1162");
      script_xref(name:"MDKSA", value:"2001:062");
    
      script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2001:062)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Michal Zalewski has found a vulnerability in all versions of Samba
    prior to 2.0.10 where if a client sends an invalid netbios name Samba
    could be tricked into appending it's log to files writable by root.
    This can be very dangerous if combined with a symlink created by a
    local user. Note that the log files must be specified as %m.log in
    order for this to work, and Mandrake Linux ships Samba by default
    using log.%m, thus it is not vulnerable 'out of the box'."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://us1.samba.org/samba/whatsnew/macroexploit.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected samba, samba-client and / or samba-common
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/06/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-2.0.10-1.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-client-2.0.10-1.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"samba-common-2.0.10-1.3mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-2.0.10-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-client-2.0.10-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"samba-common-2.0.10-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-2.0.10-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.0.10-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.0.10-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGain a shell remotely
    NASL idSAMBA_ARBITRARY_FILE_CREATION.NASL
    descriptionThe remote Samba server, according to its version number, allows creation of arbitrary remote files. This vulnerability allows an attacker to overwrite arbitrary files by supplying an arbitrarily formed NetBIOS machine name to this server, and to potentially become root on the remote server. An attacker does not need any privileges to exploit this flaw.
    last seen2020-06-01
    modified2020-06-02
    plugin id10786
    published2001-10-17
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10786
    titleSamba NETBIOS Name Traversal Arbitrary Remote File Creation
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(10786);
     script_version ("1.19");
     script_cve_id("CVE-2001-1162");
     script_bugtraq_id(2928);
    
     script_name(english: "Samba NETBIOS Name Traversal Arbitrary Remote File Creation");
     
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary files may be overwritten on the remote server." );
     script_set_attribute(attribute:"description", value:
    "The remote Samba server, according to its version number, allows
    creation of arbitrary remote files. 
    
    This vulnerability allows an attacker to overwrite arbitrary files by
    supplying an arbitrarily formed NetBIOS machine name to this server,
    and to potentially become root on the remote server. 
    
    An attacker does not need any privileges to exploit this flaw." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Samba 2.0.10 or 2.2.0a" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"plugin_publication_date", value: "2001/10/17");
     script_set_attribute(attribute:"vuln_publication_date", value: "2001/06/23");
     script_cvs_date("Date: 2018/07/27 18:38:14");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
     script_end_attributes();
    
     script_summary(english: "checks samba version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
     script_family(english: "Gain a shell remotely");
     script_dependencie("smb_nativelanman.nasl");
     script_require_keys("SMB/NativeLanManager");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    lanman = get_kb_item("SMB/NativeLanManager");
    if("Samba" >< lanman)
    {
     if(ereg(pattern:"Samba 2\.0\.[5-9][^0-9]*$",
     	 string:lanman))security_hole(139);
    	 
     if(ereg(pattern:"Samba 2\.2\.0$", string:lanman))security_hole(139);
    }
    

Redhat

advisories
rhsa
idRHSA-2001:086