CVE-2010-0926
published 2010-03-10CVE-2010-0926: The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote…
PriorityP338low3.5CVSS 2.0
AVNACMAuSCPINAN
EXPLOIT
EPSS
30.53%
98.0th percentile
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| debian | samba | < samba 2:3.4.6~dfsg-1 (bookworm) | samba 2:3.4.6~dfsg-1 (bookworm) |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect smbclient UNIX extension symlink creation requests over SMB that contain traversal sequences ('..') in the symlink target — this is the core exploit primitive for CVE-2010-0926. ↗
- →Monitor for SMB UNIX extension symlink operations (Trans2 UNIX_EXTENSIONS sub-commands) where the link target resolves outside the share root — indicative of wide-link traversal exploitation. ↗
- →Alert on guest or low-privilege SMB sessions that issue symlink creation commands followed by directory listing or file read operations — exploitation is possible via guest-accessible writable shares. ↗
- →For the race-condition variant (CVE-2010-0926 overlap with Samba 4.5.2), detect rapid rename operations on share path components interleaved with file open requests — a symlink is swapped in just before open() to escape the share boundary. ↗
- →On the server side, audit smbd for lstat() calls on path components followed by open() where an intermediate component has changed type to S_IFLNK between the lstat and open — indicates a TOCTOU symlink race. ↗
- ·The vulnerability is triggered only when BOTH 'unix extensions' and 'wide links' are enabled simultaneously — this was the Samba default before the fix. Disabling either option mitigates the issue. ↗
- ·The Samba team's official mitigation is to set 'wide links = no' in the [global] section of smb.conf. Alternatively, setting 'unix extensions = no' prevents clients from creating wide symlinks. ↗
- ·Exploitation requires authenticated access to a writable share; however, guest accounts with write access to a share are sufficient — treat guest-writable shares as high-risk in unpatched environments. ↗
- ·Apple Mac OS X SMB File Server (10.5.8 and 10.6 before 10.6.4) enables wide links by default and is independently vulnerable to the same class of attack. ↗
- ·Affected Samba versions: before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3. Debian fix version is 2:3.4.6~dfsg-1. ↗
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv3.5LOW
vendor_debian3.5LOW
vendor_redhat3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba vulnerability
vendor_ubuntu·2010-03-24
CVE-2010-0926 Samba vulnerability
Title: Samba vulnerability
Summary: Samba vulnerability
It was discovered the Samba handled symlinks in an unexpected way when both
"wide links" and "UNIX extensions" were enabled, which is the default. A
remote attacker could create symlinks and access arbitrary files from the
server.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
ATTENTION: This update changes the default samba behaviour. For security
reasons, it is no longer possible to use wide links and UNIX extensions at
the same time. After applying this security update, wide links will be
disabled automatically as UNIX extensions are turned on by default. If
wide links are required, you can re-enable them by adding
"unix extensions = no" to the [global] section of the /etc/sam
Red Hat
samba: insecure "wide links" default
vendor_redhat·2010-02-05·CVSS 3.5
CVE-2010-0926 [LOW] samba: insecure "wide links" default
samba: insecure "wide links" default
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
Statement: This issue was addressed in Samba packages in Red Hat Enterprise Linux 5. It did not affect Samba packages in Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this issue as having low security impact. There is no plan to address this flaw in Red Hat Enterprise Linux 4.
To prevent this issue, disable "wide li
Debian
CVE-2010-0926: samba - The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, an...
vendor_debian·2010·CVSS 3.5
CVE-2010-0926 [LOW] CVE-2010-0926: samba - The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, an...
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
Scope: local
bookworm: resolved (fixed in 2:3.4.6~dfsg-1)
bullseye: resolved (fixed in 2:3.4.6~dfsg-1)
forky: resolved (fixed in 2:3.4.6~dfsg-1)
sid: resolved (fixed in 2:3.4.6~dfsg-1)
trixie: resolved (fixed in 2:3.4.6~dfsg-1)
VulDB
Samba up to 3.5.0 Default Configuration path traversal (Bug 7104 / EDB-33599)
vuldb·2026-05-02·CVSS 3.5
CVE-2010-0926 [LOW] Samba up to 3.5.0 Default Configuration path traversal (Bug 7104 / EDB-33599)
A vulnerability has been found in Samba and classified as problematic. This issue affects some unknown processing of the component Default Configuration. This manipulation causes path traversal.
This vulnerability is handled as CVE-2010-0926. The attack can be initiated remotely. Additionally, an exploit exists.
The affected component should be upgraded.
GHSA
GHSA-pfw5-rj4c-2cm8: The default configuration of SMB File Server in Apple Mac OS X 10
ghsa_unreviewed·2022-05-02·CVSS 3.5
CVE-2010-1381 [LOW] GHSA-pfw5-rj4c-2cm8: The default configuration of SMB File Server in Apple Mac OS X 10
The default configuration of SMB File Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, enables support for wide links, which allows remote authenticated users to access arbitrary files via vectors involving symbolic links. NOTE: this might overlap CVE-2010-0926.
GHSA
GHSA-c6j9-4944-rfw4: The default configuration of smbd in Samba before 3
ghsa_unreviewed·2022-05-02
CVE-2010-0926 [LOW] CWE-22 GHSA-c6j9-4944-rfw4: The default configuration of smbd in Samba before 3
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
OSV
CVE-2010-0926: The default configuration of smbd in Samba before 3
osv·2010-03-10·CVSS 3.5
CVE-2010-0926 [LOW] CVE-2010-0926: The default configuration of smbd in Samba before 3
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.
No detection rules found.
Exploit-DB
Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
exploitdb·2017-03-27·CVSS 3.5
CVE-2017-2619 [LOW] Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039
The Samba server is supposed to only grant access to configured share
directories unless "wide links" are enabled, in which case the server is allowed
to follow symlinks. The default (since CVE-2010-0926) is that wide links are
disabled.
smbd ensures that it isn't following symlinks by calling lstat() on every
path component, as can be seen in strace (in reaction to the request
"get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share):
root@debian:/home/user# strace -e trace=file -p18954
Process 18954 attached
lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
getcwd("/public", 4096) = 8
lstat("/pub
Exploit-DB
Samba 3.4.5 - Symlink Directory Traversal
exploitdb·2010-02-04
CVE-2010-0926 Samba 3.4.5 - Symlink Directory Traversal
Samba 3.4.5 - Symlink Directory Traversal
---
source: https://www.securityfocus.com/bid/38111/info
Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.
To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts.
NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.
smbclient patch (exploit):
samba-3.4.5/source3
Exploit-DB
Samba 3.4.5 - Symlink Directory Traversal (Metasploit)
exploitdb·2010-02-04
CVE-2010-0926 Samba 3.4.5 - Symlink Directory Traversal (Metasploit)
Samba 3.4.5 - Symlink Directory Traversal (Metasploit)
---
source: https://www.securityfocus.com/bid/38111/info
Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.
To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts.
NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.
##
# $Id: samba_symlink_traversal.
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0083.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2010-02/0107.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2010-02/0108.htmlhttp://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.htmlhttp://gitweb.samba.org/?p=samba.git%3Ba=commit%3Bh=bd269443e311d96ef495a9db47d1b95eb83bb8f4http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlhttp://marc.info/?l=full-disclosure&m=126538598820903&w=2http://marc.info/?l=oss-security&m=126539592603079&w=2http://marc.info/?l=oss-security&m=126540402215620&w=2http://marc.info/?l=oss-security&m=126540733320471&w=2http://marc.info/?l=oss-security&m=126545363428745&w=2http://marc.info/?l=oss-security&m=126777580624790&w=2http://marc.info/?l=samba-technical&m=126539387432412&w=2http://marc.info/?l=samba-technical&m=126540011609753&w=2http://marc.info/?l=samba-technical&m=126540100511357&w=2http://marc.info/?l=samba-technical&m=126540248613395&w=2http://marc.info/?l=samba-technical&m=126540277713815&w=2http://marc.info/?l=samba-technical&m=126540290614053&w=2http://marc.info/?l=samba-technical&m=126540376915283&w=2http://marc.info/?l=samba-technical&m=126540475116511&w=2http://marc.info/?l=samba-technical&m=126540477016522&w=2http://marc.info/?l=samba-technical&m=126540539117328&w=2http://marc.info/?l=samba-technical&m=126540608318301&w=2http://marc.info/?l=samba-technical&m=126540695819735&w=2http://marc.info/?l=samba-technical&m=126547903723628&w=2http://marc.info/?l=samba-technical&m=126548356728379&w=2http://marc.info/?l=samba-technical&m=126549111204428&w=2http://marc.info/?l=samba-technical&m=126555346721629&w=2http://secunia.com/advisories/39317http://www.openwall.com/lists/oss-security/2010/02/06/3http://www.openwall.com/lists/oss-security/2010/03/05/3http://www.samba.org/samba/news/symlink_attack.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=562568https://bugzilla.samba.org/show_bug.cgi?id=7104http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0083.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2010-02/0107.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2010-02/0108.htmlhttp://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.htmlhttp://gitweb.samba.org/?p=samba.git%3Ba=commit%3Bh=bd269443e311d96ef495a9db47d1b95eb83bb8f4http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlhttp://marc.info/?l=full-disclosure&m=126538598820903&w=2http://marc.info/?l=oss-security&m=126539592603079&w=2http://marc.info/?l=oss-security&m=126540402215620&w=2http://marc.info/?l=oss-security&m=126540733320471&w=2http://marc.info/?l=oss-security&m=126545363428745&w=2http://marc.info/?l=oss-security&m=126777580624790&w=2http://marc.info/?l=samba-technical&m=126539387432412&w=2http://marc.info/?l=samba-technical&m=126540011609753&w=2http://marc.info/?l=samba-technical&m=126540100511357&w=2http://marc.info/?l=samba-technical&m=126540248613395&w=2http://marc.info/?l=samba-technical&m=126540277713815&w=2http://marc.info/?l=samba-technical&m=126540290614053&w=2http://marc.info/?l=samba-technical&m=126540376915283&w=2http://marc.info/?l=samba-technical&m=126540475116511&w=2http://marc.info/?l=samba-technical&m=126540477016522&w=2http://marc.info/?l=samba-technical&m=126540539117328&w=2http://marc.info/?l=samba-technical&m=126540608318301&w=2http://marc.info/?l=samba-technical&m=126540695819735&w=2http://marc.info/?l=samba-technical&m=126547903723628&w=2http://marc.info/?l=samba-technical&m=126548356728379&w=2http://marc.info/?l=samba-technical&m=126549111204428&w=2http://marc.info/?l=samba-technical&m=126555346721629&w=2http://secunia.com/advisories/39317http://www.openwall.com/lists/oss-security/2010/02/06/3http://www.openwall.com/lists/oss-security/2010/03/05/3http://www.samba.org/samba/news/symlink_attack.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=562568https://bugzilla.samba.org/show_bug.cgi?id=7104
2010-03-10
Published