--- /dev/null
+<!--#include virtual="/samba/header.html" -->
+ <title>Symlink attack</title>
+<!--#include virtual="/samba/header_columns.html" -->
+
+
+<h4>5 February 2010</h4>
+ <p class="headline">Claimed Zero Day exploit in Samba</p>
+
+<p>A user named "kcopedarookie" posted what they claim to be a video
+of a
+zero-day <a href="http://www.youtube.com/watch?v=NN50RtZ2N74&aia=true">exploit
+in Samba</a> on youtube yesterday.</p>
+
+<p>The video shows modifications to smbclient allowing
+/etc/passwd to be downloaded from a remote server.</p>
+
+<p>The issue is actually a default insecure configuration
+in Samba.</p>
+
+<h5>Quick FAQ: What do I do !</h5>
+
+<p>Set:
+<pre>
+ wide links = no
+</pre>
+in the [global] section of your smb.conf and restart
+smbd to eliminate this problem.</p>
+
+<h5>Longer FAQ: The real issue</h5>
+
+<p>The problem comes from a combination of two features in Samba, each
+of which on their own are useful to Administrators, but in combination
+allow users to access any file on the system that their logged in
+username has permissions to read (this is not a privilege escalation
+problem).</p>
+
+<p>By default Samba ships with the parameter "wide links = yes", which
+allows Administrators to locally (on the server) add a symbolic link
+inside an exported share which SMB/CIFS clients will follow.</p>
+
+<p>As an example, given a share definition:
+<pre>
+ [tmp]
+ path = /tmp
+ read only = no
+ guest ok = yes
+</pre></p>
+
+<p>The administrator could add a symlink:
+
+<pre>
+ $ ln -s /etc/passwd /tmp/passwd
+</pre>
+
+and SMB/CIFS clients would then see a file called "passwd" within
+the [tmp] share that could be read and would allow clients to read
+/etc/passwd.</p>
+
+<p>If the "wide links" parameter is set to "no", any attempt
+to read this file will fail with an "access denied" error.</p>
+
+<p>The problem occurs as Samba allows clients using the UNIX
+extensions (which are also turned on by default) to create
+symlinks on remotely mounted shares on which they have write
+access that point to any path on the file system.</p>
+
+<p>This is by design, as applications running on UNIX clients may have
+good reasons to create symlinks anywhere on the filesystem they have
+write access that point to local files (such as /etc/passwd).</p>
+
+<p>UNIX clients will resolve these links locally, but Windows
+clients will resolve them on the server. It is this combination
+that causes the problem.</p>
+
+<p>All future versions of Samba will have the parameter "wide links"
+set to "no" by default, and the manual pages will be updated to
+explain this issue.</p>
+
+<!--#include virtual="/samba/footer.html" -->