How to Get Root Filesystem Access via Samba Symlink Traversal

How to Get Root Filesystem Access via Samba Symlink Traversal

Samba can be configured to allow any user with write access the ability to create a link to the root filesystem. Once an attacker has this level of access, it's only a matter of time before the system gets owned. Although this configuration isn't that common in the wild, it does happen, and Metasploit has a module to easily exploit this security flaw.


Symbolic links, or symlinks, are files that link to other files or directories on a system, and they are an essential part of the Linux environment. Symlinks are often used to connect libraries and redirect certain binaries to other versions.


File share systems, like Samba, can take advantage of symbolic links, allowing users to easily access linked folders and files. But these links are normally confined to within the share itself, making it impossible to access the underlying filesystem.


Samba does have an option to use wide links, which are basically symlinks that are allowed to link outside of the sandboxed file share. This is obviously a huge security hole, as any user with write access to a share can create a link to the root filesystem.


For this demonstration, we will be using Kali Linux to attack a Metasploitable 2 virtual machine. If you have a similar pentesting lab you can follow along.


..

Support the originator by clicking the read the rest link below.