Vulnerabilities > CVE-2004-0815 - Remote Arbitrary File Access vulnerability in Samba
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The unix_clean_name function in Samba 2.2.x through 2.2.11, and 3.0.x before 3.0.2a, trims certain directory names down to absolute paths, which could allow remote attackers to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-600.NASL description A vulnerability has been discovered in samba, a commonly used LanManager-like file and printer server for Unix. A remote attacker may be able to gain access to files which exist outside of the share last seen 2020-06-01 modified 2020-06-02 plugin id 15690 published 2004-11-10 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15690 title Debian DSA-600-1 : samba - arbitrary file access code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-600. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15690); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0815"); script_xref(name:"DSA", value:"600"); script_name(english:"Debian DSA-600-1 : samba - arbitrary file access"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A vulnerability has been discovered in samba, a commonly used LanManager-like file and printer server for Unix. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection, though." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-600" ); script_set_attribute( attribute:"solution", value: "Upgrade the samba packages. For the stable distribution (woody) this problem has been fixed in version 2.2.3a-14.1. In the unstable (sid) and testing (sarge) distributions this problem was not present." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/10"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-14.1")) flag++; if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-14.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-498.NASL description Updated samba packages that fix an input validation vulnerability are now available. Samba provides file and printer sharing services to SMB/CIFS clients. Karol Wiesek discovered an input validation issue in Samba prior to 3.0.6. An authenticated user could send a carefully crafted request to the Samba server, which would allow access to files outside of the configured file share. Note: Such files would have to be readable by the account used for the connection. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0815 to this issue. This issue does not affect Red Hat Enterprise Linux 3 as a previous erratum updated to Samba 3.0.6 which is not vulnerable to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-2.2.12, which is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 15428 published 2004-10-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15428 title RHEL 2.1 : samba (RHSA-2004:498) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:498. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(15428); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0815"); script_xref(name:"RHSA", value:"2004:498"); script_name(english:"RHEL 2.1 : samba (RHSA-2004:498)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated samba packages that fix an input validation vulnerability are now available. Samba provides file and printer sharing services to SMB/CIFS clients. Karol Wiesek discovered an input validation issue in Samba prior to 3.0.6. An authenticated user could send a carefully crafted request to the Samba server, which would allow access to files outside of the configured file share. Note: Such files would have to be readable by the account used for the connection. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0815 to this issue. This issue does not affect Red Hat Enterprise Linux 3 as a previous erratum updated to Samba 3.0.6 which is not vulnerable to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-2.2.12, which is not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0815" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:498" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/03"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:498"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-2.2.12-1.21as")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-client-2.2.12-1.21as")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-common-2.2.12-1.21as")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-swat-2.2.12-1.21as")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat"); } }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DE16B056132E11D9BC4A000C41E2CDAD.NASL description According to a Samba Team security notice : A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share last seen 2020-06-01 modified 2020-06-02 plugin id 19144 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19144 title FreeBSD : samba -- remote file disclosure (de16b056-132e-11d9-bc4a-000c41e2cdad) NASL family Misc. NASL id SAMBA_ARBITRARY_FILE_ACCESS.NASL description According to its version number, the remote Samba server is affected by a flaw that allows an attacker to access arbitrary files which exist outside of the shares last seen 2020-06-01 modified 2020-06-02 plugin id 15394 published 2004-09-30 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15394 title Samba MS-DOS Path Request Arbitrary File Retrieval NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-104.NASL description Karol Wiesek discovered a bug in the input validation routines used to convert DOS path names to path names on the Samba host last seen 2020-06-01 modified 2020-06-02 plugin id 15413 published 2004-10-02 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15413 title Mandrake Linux Security Advisory : samba (MDKSA-2004:104) NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_035.NASL description The remote host is missing the patch for the advisory SUSE-SA:2004:035 (samba). The Samba server, which allows to share files and resources via the SMB/CIFS protocol, contains a bug in the sanitation code of path names which allows remote attackers to access files outside of the defined share. In order to access these files, they must be readable by the account used for the SMB session. CVE-2004-0815 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 15423 published 2004-10-05 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15423 title SUSE-SA:2004:035: samba
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000873
- http://marc.info/?l=bugtraq&m=109655827913457&w=2
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101584-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-57664-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200529-1
- http://us4.samba.org/samba/news/#security_2.2.12
- http://www.debian.org/security/2004/dsa-600
- http://www.idefense.com/application/poi/display?id=146&type=vulnerabilities&flashstatus=true
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:104
- http://www.novell.com/linux/security/advisories/2004_35_samba.html
- http://www.redhat.com/support/errata/RHSA-2004-498.html
- http://www.securityfocus.com/archive/1/377618
- http://www.securityfocus.com/bid/11281
- http://www.trustix.org/errata/2004/0051/
- https://bugzilla.fedora.us/show_bug.cgi?id=2102
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17556