Samba smbmnt Local Privilege Escalation

High Nessus Plugin ID 17723


The remote service might be affected by a local privilege escalation vulnerability.


According to its banner, the version of Samba running on the remote host is in the 2.x or 3.x branch. Such versions are shipped with a utility called 'smbmnt'. When smbmnt has the setuid 'root' bit set, a local user with access to the victim can mount a Samba share and then execute a setuid or setgid 'root' binary located on the share to gain unauthorized access to root privileges.

Note that Nessus has not tried to exploit the issue, but rather only checked the version of Samba running on the remote host. As a result, it will not detect if the remote host has implemented a workaround.


Upgrade Samba to version 3.0.2a or higher. As a workaround, remove the setuid bit from 'smbmnt'.

See Also

Plugin Details

Severity: High

ID: 17723

File Name: samba_smbmnt.nasl

Version: $Revision: 1.4 $

Type: remote

Family: Misc.

Published: 2011/11/18

Modified: 2014/05/26

Dependencies: 10785

Risk Information

Risk Factor: High


Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Required KB Items: SMB/NativeLanManager, SMB/samba, Settings/ParanoidReport, Settings/PCI_DSS

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2004/02/09

Reference Information

CVE: CVE-2004-0186

BID: 9619

OSVDB: 3916