Samba smbmnt Local Privilege Escalation

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote service might be affected by a local privilege escalation
vulnerability.

Description :

According to its banner, the version of Samba running on the remote
host is in the 2.x or 3.x branch. Such versions are shipped with a
utility called 'smbmnt'. When smbmnt has the setuid 'root' bit set, a
local user with access to the victim can mount a Samba share and then
execute a setuid or setgid 'root' binary located on the share to gain
unauthorized access to root privileges.

Note that Nessus has not tried to exploit the issue, but rather only
checked the version of Samba running on the remote host. As a result,
it will not detect if the remote host has implemented a workaround.

See also :

http://marc.info/?l=bugtraq&m=107636290906296&w=2
http://www.samba.org/samba/history/samba-3.0.6.html

Solution :

Upgrade Samba to version 3.0.2a or higher. As a workaround, remove the
setuid bit from 'smbmnt'.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 17723 ()

Bugtraq ID: 9619

CVE ID: CVE-2004-0186