"samba_symlink_dir_traversal_nasl-#" what is this?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"samba_symlink_dir_traversal_nasl-#" what is this?
Hi,
I recently started having unusual directories appear on one of my mounted arrays. I did not create them (intentionally) and I have no clue what they are. Google has been of no help.
They all have the this in the name of the folder "samba_symlink_dir_traversal.nasl-<10-digit number>" they all have the same time-stamp for the date modified column (see pic).
What are these folders? Why are they appearing? And how can I make it stop? It doesn't do this on my other mounted arrays and disks.
I recently grew my two attached arrays, this started right after that, but only on one of them. Connection?
Also, it may be relevant, the folders are different today in their modified date(reflecting today's date) and the numbers in the name of the folder are different too.
I don't use Samba, so don't quote me on this.. But since you seem eager for info, try sticking the following:
Code:
samba_symlink_dir_traversal.nasl
into Google. It produces not many hits, but all the hits that are produced point to the same thing, which if I understand what I'm reading, is indicative of a vulnerability in Samba that can be exploited due to an insecure configuration. It allows a user to make symlinks to files that they should not be able to do. The solution (or workaround) is also shown on several of the google hits.
Again - I'm not sure about it - so don't jump up & down just yet! I'm going to ask our 'Security Forum' folks to have a look and give an opinion.
You're right. NASL is the FLA for "Nessus Attack Scripting Language". The Nessus samba_symlink_dir_traversal.nasl plugin and what it tests for is described here, the CVE entry for the vulnerability is here (also see this) and the fix (set "wide links = no" in the [global] section of smb.conf and restart smbd) is described here. If the OP did not test the machine him/herself then system and daemon logs may or may not show who attempted accessed the share during the timeframe leading up to the timestamps of the screenshot the OP posted here.
Thanks Grapefuit, I did read all that but it made no sense to me because it started only after I grew my array, which is why I thought it might be related to that.
thanks for the help unspawn, I'm changing the smb.conf now. But, what do FLA, CVE, and OP stand for?
"Common Vulnerabilities & Exposures" = CVE
"OP" Original Post(er) (i.e. you, the person who started the thread, or the first post in a thread.)
"FLA" = ... "Foot Long Acronym" (kidding! I don't know what this one is)
update: I stopped the samba service yesterday afternoon but this morning (now) there are new "symlink" folders that have appeared. How could that be possible?
Last edited by captainentropy; 07-30-2010 at 02:56 PM.
- Temporarily set up smbd to ditch CAP_DAC_OVERRIDE (see 'man 7 capabilities') if your system allows configuring and changing per-process capabilities (GRSecurity, LIDS).
- Upgrade (or alternatively downgrade): http://us1.samba.org/samba/security/CVE-2010-0728.html.
- Do your run Nessus or OpenVAS or any of that type of auditing?
- Who has access (write rights?) to the share?
- Who has access (write rights) to the machine the share is on?
- Who accessed the share during file or directory creation time ('stat /path/to/physical\ directory\ name;')?
- Who accessed the machine the share is on during file or directory creation time?
Thanks for help unSpawn. Right after my last post I deleted the two folders and there have been no new ones created since. I didn't attempt the two suggestions you made...yet. Should I anyway?
No, I'm not running Nessus or OpenVAS. I don't even know what those are.
There are only two users, both have write access to the machine and share. I'm the only one who uses it really. One other person is setting up a genome browser on the server but the problem started before he began that process.
When the issue arose I was the only one who had accessed the server. There are only three people who even need to access it at any time. But during the time prior to the problem arising I was expanding the arrays so I had them offline. Other than the other guy I mentioned there has been no accessing it by anyone other than me.
I'll be keeping an eye on it of course. Thanks for your help so far!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.