Vulnerability: samba anonymously writable share + symlink traversal

2026-02-23 04:08:02 +00:00 · 2016-09-02 19:55:42 +01:00
parent f7161dbe4e
commit 3f00728fd2
11 changed files with 163 additions and 1 deletions
--- a/lib/schemas/vulnerability_metadata_schema.xsd
+++ b/lib/schemas/vulnerability_metadata_schema.xsd
@@ -54,7 +54,7 @@
  </xs:simpleType>
  <xs:simpleType name="MSFregexp">
    <xs:restriction base="xs:string">
-      <xs:pattern value="exploit/[a-zA-Z0-9_\-/]+"/>
+      <xs:pattern value="(exploit|auxiliary)/[a-zA-Z0-9_\-/]+"/>
    </xs:restriction>
  </xs:simpleType>

--- a/modules/vulnerabilities/unix/smb/samba_public_writable_share/files/smb_conf_public_share_definition
+++ b/modules/vulnerabilities/unix/smb/samba_public_writable_share/files/smb_conf_public_share_definition
@@ -0,0 +1,15 @@
+#
+# Insecure Public share definition
+#
+[public]
+comment = Public Share
+# Path to directory
+path = /tmp
+# Allow writing to share
+read only = no
+# Force connections as guests
+guest ok = yes
+locking = no
+# Sets the umask for files/directories created on this share
+force create mode = 777
+force directory mode = 777
--- a/modules/vulnerabilities/unix/smb/samba_public_writable_share/manifests/install.pp
+++ b/modules/vulnerabilities/unix/smb/samba_public_writable_share/manifests/install.pp
@@ -0,0 +1,19 @@
+class samba_public_writable_share::install {
+
+  concat { '/etc/samba/smb.conf':
+    ensure => present,
+  }
+
+  concat::fragment { 'smb-conf-base':
+    source => '/etc/samba/smb.conf',
+    target => '/etc/samba/smb.conf',
+    order => '01',
+  }
+
+  concat::fragment { 'smb-conf-public-share-definition':
+    source => 'puppet:///modules/samba_public_writable_share/smb_conf_public_share_definition',
+    target => '/etc/samba/smb.conf',
+    order => '02',
+  }
+
+}
--- a/modules/vulnerabilities/unix/smb/samba_public_writable_share/samba_public_writable_share.pp
+++ b/modules/vulnerabilities/unix/smb/samba_public_writable_share/samba_public_writable_share.pp
@@ -0,0 +1 @@
+require samba_public_writable_share::install
--- a/modules/vulnerabilities/unix/smb/samba_public_writable_share/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/smb/samba_public_writable_share/secgen_metadata.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability ">
+  <name>Samba Public Writable Share</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>
+    Samba file server configured with a public anonymously accessible share with read / write permissions.
+  </description>
+
+  <type>samba</type>
+  <privilege>user</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>low</difficulty>
+
+  <!--optional details-->
+  <reference>http://allarsblog.com/2015/11/07/Setting-Up-Samba-No-Security/</reference>
+  <software_name>smbd</software_name>
+  <software_license>MIT</software_license>
+
+  <requires>
+    <module_path>modules/services/unix/file_share/samba</module_path>
+  </requires>
+
+</vulnerability>
--- a/modules/vulnerabilities/unix/smb/samba_symlink_traversal/files/smb_conf_wide_links
+++ b/modules/vulnerabilities/unix/smb/samba_symlink_traversal/files/smb_conf_wide_links
@@ -0,0 +1,3 @@
+# wide links for symlink traversal ( enabled by default in versions <= 3.4.5 )
+wide links = yes
+follow symlinks = yes
--- a/modules/vulnerabilities/unix/smb/samba_symlink_traversal/manifests/install.pp
+++ b/modules/vulnerabilities/unix/smb/samba_symlink_traversal/manifests/install.pp
@@ -0,0 +1,23 @@
+class samba_symlink_traversal::install {
+
+  # Insert the 'allow insecure wide links = yes' line into the [global] section
+  exec { 'sed-insert-global-allow-insecure-wide-links':
+    command => "/bin/sed -i \'/\\[global\\]/a allow insecure wide links = yes\' /etc/samba/smb.conf"
+  }
+
+  concat { '/etc/samba/smb.conf':
+    ensure => present,
+  }
+
+  concat::fragment { 'smb-conf-base':
+    source => '/etc/samba/smb.conf',
+    target => '/etc/samba/smb.conf',
+    order => '01',
+  }
+
+  concat::fragment { 'smb-conf-wide-links':
+    source => 'puppet:///modules/samba_symlink_traversal/smb_conf_wide_links',
+    target => '/etc/samba/smb.conf',
+    order => '03',
+  }
+}
--- a/modules/vulnerabilities/unix/smb/samba_symlink_traversal/samba_symlink_traversal.pp
+++ b/modules/vulnerabilities/unix/smb/samba_symlink_traversal/samba_symlink_traversal.pp
@@ -0,0 +1 @@
+require samba_symlink_traversal::install
--- a/modules/vulnerabilities/unix/smb/samba_symlink_traversal/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/smb/samba_symlink_traversal/secgen_metadata.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability ">
+  <name>Samba Symlink Traversal</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>
+    Samba file server configured with a public anonymously accessible share with read / write permissions and the
+    unix extensions = yes, wide links = yes and allow insecure wide links = yes settings.
+  </description>
+
+  <type>samba</type>
+  <privilege>user</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>low</difficulty>
+
+  <!--optional details-->
+  <reference>https://www.samba.org/samba/news/symlink_attack.html</reference>
+  <reference>https://www.rapid7.com/db/modules/auxiliary/admin/smb/samba_symlink_traversal</reference>
+  <software_name>smbd</software_name>
+  <software_license>MIT</software_license>
+
+  <!--optional hints-->
+  <msf_module>auxiliary/admin/smb/samba_symlink_traversal</msf_module>
+
+  <requires>
+    <module_path>modules/services/unix/file_share/samba</module_path>
+    <module_path>modules/vulnerabilities/unix/smb/samba_public_writable_share</module_path>
+  </requires>
+
+</vulnerability>
--- a/scenarios/simple_examples/samba_public_writable_share.xml
+++ b/scenarios/simple_examples/samba_public_writable_share.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <!-- an example remote storage system running samba, with a misconfiguration vulnerability which enables symlink traversal -->
+  <system>
+    <system_name>samba_service</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path="modules/vulnerabilities/unix/smb/samba_public_writable_share"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>
--- a/scenarios/simple_examples/samba_symlink_traversal_vulnerability.xml
+++ b/scenarios/simple_examples/samba_symlink_traversal_vulnerability.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <!-- an example remote storage system running samba, with a misconfiguration vulnerability which enables symlink traversal -->
+  <system>
+    <system_name>samba_service</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path="modules/vulnerabilities/unix/smb/samba_symlink_traversal"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>
				`@@ -0,0 +1 @@`
				`require samba_public_writable_share::install`