Samba smbmnt Local Privilege Escalation

high Nessus Plugin ID 17723

Synopsis

The remote service might be affected by a local privilege escalation vulnerability.

Description

According to its banner, the version of Samba running on the remote host is in the 2.x or 3.x branch. Such versions are shipped with a utility called 'smbmnt'. When smbmnt has the setuid 'root' bit set, a local user with access to the victim can mount a Samba share and then execute a setuid or setgid 'root' binary located on the share to gain unauthorized access to root privileges.

Note that Nessus has not tried to exploit the issue, but rather only checked the version of Samba running on the remote host. As a result, it will not detect if the remote host has implemented a workaround.

Solution

Upgrade Samba to version 3.0.2a or higher. As a workaround, remove the setuid bit from 'smbmnt'.

See Also

https://marc.info/?l=bugtraq&m=107636290906296&w=2

https://www.samba.org/samba/history/samba-3.0.6.html

Plugin Details

Severity: High

ID: 17723

File Name: samba_smbmnt.nasl

Version: 1.7

Type: remote

Family: Misc.

Published: 11/18/2011

Updated: 6/14/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Required KB Items: Settings/ParanoidReport, SMB/samba, SMB/NativeLanManager, Settings/PCI_DSS

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/9/2004

Reference Information

CVE: CVE-2004-0186

BID: 9619

IAVA: 2023-A-0535