Samba smbmnt Local Privilege Escalation
High Nessus Plugin ID 17723
SynopsisThe remote service might be affected by a local privilege escalation vulnerability.
DescriptionAccording to its banner, the version of Samba running on the remote host is in the 2.x or 3.x branch. Such versions are shipped with a utility called 'smbmnt'. When smbmnt has the setuid 'root' bit set, a local user with access to the victim can mount a Samba share and then execute a setuid or setgid 'root' binary located on the share to gain unauthorized access to root privileges.
Note that Nessus has not tried to exploit the issue, but rather only checked the version of Samba running on the remote host. As a result, it will not detect if the remote host has implemented a workaround.
SolutionUpgrade Samba to version 3.0.2a or higher. As a workaround, remove the setuid bit from 'smbmnt'.