Allele Security Alert
ASA-2019-00231
Identifier(s)
ASA-2019-00231, CVE-2019-3880
Title
Save registry file outside share as unprivileged user
Vendor(s)
The Samba Project
Product(s)
Samba
Affected version(s)
Samba 3.2.0
Fixed version(s)
Samba 4.8.11
Samba 4.9.6
Samba 4.10.2
Proof of concept
Unknown
Description
Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, “winreg_SaveKey”, is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition. Note – existing share restrictions such as “read only” or share ACLs do *not* prevent new registry hive files being written to the filesystem. A file may be written under any share definition wherever the user has unix permissions to create a file. Existing files cannot be overwritten using this vulnerability, only new registry hive files can be created, however the presence of existing files with a specific name can be detected. Samba writes or detects the file as the authenticated user, not as root.
Technical details
Unknown
Credits
Michael Hanselmann
Reference(s)
Save registry file outside share as unprivileged user
https://www.samba.org/samba/security/CVE-2019-3880.html
CVE-2019-3880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3880
CVE-2019-3880
https://nvd.nist.gov/vuln/detail/CVE-2019-3880
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 27, 2019