diff options
author | Jeremy Allison <jra@samba.org> | 2021-12-07 12:28:54 -0800 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-01-31 14:26:10 +0000 |
commit | 1dcd818303bdd5a1ea59faae114d290b51fc7999 (patch) | |
tree | 6a5ac9164a539516fda522527b7f387a9ab8c551 | |
parent | ef8229843604bd2dcd17403a786ea70586e3d632 (diff) | |
download | samba-1dcd818303bdd5a1ea59faae114d290b51fc7999.tar.gz |
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.
Add to knownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | selftest/knownfail.d/symlink_traversal | 1 | ||||
-rwxr-xr-x | source3/script/tests/test_symlink_traversal_smb2.sh | 263 | ||||
-rwxr-xr-x | source3/selftest/tests.py | 6 |
3 files changed, 270 insertions, 0 deletions
diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal new file mode 100644 index 00000000000..a8ac4bbae1f --- /dev/null +++ b/selftest/knownfail.d/symlink_traversal @@ -0,0 +1 @@ +^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) diff --git a/source3/script/tests/test_symlink_traversal_smb2.sh b/source3/script/tests/test_symlink_traversal_smb2.sh new file mode 100755 index 00000000000..7e1de6dde1a --- /dev/null +++ b/source3/script/tests/test_symlink_traversal_smb2.sh @@ -0,0 +1,263 @@ +#!/bin/sh + +if [ $# -lt 7 ]; then +cat <<EOF +Usage: test_symlink_traversal_smb2.sh SERVER SERVER_IP USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT +EOF +exit 1; +fi + +SERVER="${1}" +SERVER_IP="${2}" +USERNAME="${3}" +PASSWORD="${4}" +LOCAL_PATH="${5}" +PREFIX="${6}" +SMBCLIENT="${7}" +SMBCLIENT="$VALGRIND ${SMBCLIENT}" +shift 6 + +incdir=$(dirname "$0")/../../../testprogs/blackbox +. "$incdir"/subunit.sh + +failed=0 + +# Do not let deprecated option warnings muck this up +SAMBA_DEPRECATED_SUPPRESS=1 +export SAMBA_DEPRECATED_SUPPRESS + + +# Define the test environment/filenames. +# +share_test_dir="$LOCAL_PATH" +# +# These files/directories will be created. +# +file_outside_share="/tmp/symlink_traverse_test_file.$$" +dir_outside_share="/tmp/symlink_traverse_test_dir.$$" +file_outside_share_noperms="/tmp/symlink_traverse_test_file_noperm.$$" +dir_outside_share_noperms="/tmp/symlink_traverse_test_dir_noperm.$$" +# +# These two objects do not exist. +# +file_outside_share_noexist="/tmp/symlink_traverse_test_noexist.$$" +dir_outside_share_noexist="/tmp/symlink_traverse_test_dir_noexist.$$" + +# +# Cleanup function. +# +do_cleanup() +{ +( +#subshell. +cd "$share_test_dir" || return +rm -f "file_exists" +rm -f "symlink_noexist" +rm -f "symlink_file_outside_share" +rm -f "symlink_file_outside_share_noexist" +rm -f "symlink_dir_outside_share" +rm -f "symlink_dir_outside_share_noexist" +rm -f "symlink_file_outside_share_noperms" +rm -f "symlink_dir_outside_share_noperms" +rm -rf "emptydir" +# Links inside share. +rm -f "symlink_file_inside_share_noperms" +rm -f "file_inside_share_noperms" +rm -f "symlink_dir_inside_share_noperms" +chmod 755 "dir_inside_share_noperms" +rm -rf "dir_inside_share_noperms" +) +rm -f "$file_outside_share" +rm -rf "$dir_outside_share" +rm -f "$file_outside_share_noperms" +rm -rf "$dir_outside_share_noperms" +} + +# +# Ensure we start from a clean slate. +# +do_cleanup + +# +# Create the test files/directories/symlinks. +# +# File/directory explicitly outside share. +touch "$file_outside_share" +mkdir "$dir_outside_share" +# File/directory explicitly outside share with permission denied. +touch "$file_outside_share_noperms" +chmod 0 "$file_outside_share_noperms" +mkdir "$dir_outside_share_noperms" +chmod 0 "$dir_outside_share_noperms" +# +# Create links to these objects inside the share definition. +( +#subshell. +cd "$share_test_dir" || return +touch "file_exists" +ln -s "noexist" "symlink_noexist" +ln -s "$file_outside_share" "symlink_file_outside_share" +ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" +ln -s "$dir_outside_share" "symlink_dir_outside_share" +ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" +ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" +ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" +# +# Create the identical symlink set underneath "emptydir" +mkdir "emptydir" +( +#subshell +cd "emptydir" || return +touch "file_exists" +ln -s "noexist" "symlink_noexist" +ln -s "$file_outside_share" "symlink_file_outside_share" +ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" +ln -s "$dir_outside_share" "symlink_dir_outside_share" +ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" +ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" +ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" +) +# +# Create symlinks to access denied file and directory +# objects within the share +touch "file_inside_share_noperms" +chmod 0 "file_inside_share_noperms" +ln -s "file_inside_share_noperms" "symlink_file_inside_share_noperms" +mkdir "dir_inside_share_noperms" +touch "dir_inside_share_noperms/noperm_file_exists" +chmod 0 "dir_inside_share_noperms" +ln -s "dir_inside_share_noperms" "symlink_dir_inside_share_noperms" +) + +# +# smbclient function given command, path, expected error, and posix. +# +smbclient_expect_error() +{ + filecmd="$1" + filename1="$2" + filename2="$3" + expected_error="$4" + tmpfile=$PREFIX/smbclient_interactive_prompt_commands + cat > "$tmpfile" <<EOF +$filecmd $filename1 $filename2 +quit +EOF + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I$SERVER_IP < $tmpfile 2>&1' + eval echo "$cmd" + out=$(eval "$cmd") + ret=$? + rm -f "$tmpfile" + + if [ $ret != 0 ] ; then + printf "%s\n" "$out" + printf "failed accessing local_symlinks with error %s\n" "$ret" + return 1 + fi + + if [ "$expected_error" = "NT_STATUS_OK" ] ; then + printf "%s" "$out" | grep -v "NT_STATUS_" + else + printf "%s" "$out" | grep "$expected_error" + fi + ret=$? + if [ $ret != 0 ] ; then + printf "%s\n" "$out" + printf "failed - should get %s doing \"%s %s %s\"\n" "$expected_error" "$filecmd" "$filename1" "$filename2" + return 1 + fi +} + +# +# SMB2 tests. +# +test_symlink_traversal_SMB2_onename() +{ +name="$1" +do_rename="$2" +# +# get commands. +# + smbclient_expect_error "get" "$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "get" "$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 + smbclient_expect_error "get" "$name/*" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 + smbclient_expect_error "get" "$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 +# Now in subdirectory emptydir + smbclient_expect_error "get" "emptydir/$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "get" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 + smbclient_expect_error "get" "emptydir/$name/*" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 + smbclient_expect_error "get" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 +# +# ls commands. +# + smbclient_expect_error "ls" "$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 + smbclient_expect_error "ls" "$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "ls" "$name/*" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "ls" "$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 +# Now in subdirectory emptydir + smbclient_expect_error "ls" "emptydir/$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 + smbclient_expect_error "ls" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "ls" "emptydir/$name/*" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "ls" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 + +# +# del commands. +# smbclient internally does a cli_list, so we expect similar errors. +# + smbclient_expect_error "del" "$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 + smbclient_expect_error "del" "$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 +# Now in subdirectory emptydir + smbclient_expect_error "del" "emptydir/$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 + smbclient_expect_error "del" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + + if [ "$do_rename" = "do rename" ] ; then +# +# rename commands. +# + smbclient_expect_error "rename" "file_exists" "$name" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "rename" "file_exists" "$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 +# Now in subdirectory emptydir + smbclient_expect_error "rename" "file_exists" "emptydir/$name" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_expect_error "rename" "file_exists" "emptydir/$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 + fi + return 0 +} + +# +# Check error code returns traversing through different +# kinds of symlinks over SMB2. +# +test_symlink_traversal_SMB2() +{ + test_symlink_traversal_SMB2_onename "symlink_noexist" "no rename" || return 1 + test_symlink_traversal_SMB2_onename "symlink_file_outside_share" "do rename" || return 1 + test_symlink_traversal_SMB2_onename "symlink_dir_outside_share" "do rename" || return 1 + test_symlink_traversal_SMB2_onename "symlink_dir_outside_share_noexist" "no rename" || return 1 + test_symlink_traversal_SMB2_onename "symlink_file_outside_share_noperms" "do rename" || return 1 + test_symlink_traversal_SMB2_onename "symlink_dir_outside_share_noperms" "do rename" || return 1 +# +# Test paths within share with no permissions. +# +# Can't 'get' file with no perms or a symlink to it. + smbclient_expect_error "get" "file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 + smbclient_expect_error "get" "symlink_file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 +# But can list it and the symlink to it. + smbclient_expect_error "ls" "file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 + smbclient_expect_error "ls" "symlink_file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 +# Can't 'get' file inside a directory with no perms or a symlink to it. + smbclient_expect_error "get" "dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 + smbclient_expect_error "get" "symlink_dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 +# But can list the directory with no perms and the symlink to it. + smbclient_expect_error "ls" "dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 + smbclient_expect_error "ls" "symlink_dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 +} + +testit "symlink_traversal_SMB2" \ + test_symlink_traversal_SMB2 || \ + failed=$((failed+1)) + +# +# Cleanup. +do_cleanup + +testok "$0" "$failed" diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 4a09a92bf24..539cbd42e5c 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -579,6 +579,12 @@ for env in ["fileserver"]: smbclient3, "-mSMB3"]) + plantestsuite("samba3.blackbox.test_symlink_traversal.SMB2", env, + [os.path.join(samba3srcdir, "script/tests/test_symlink_traversal_smb2.sh"), + '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', + '$PREFIX', smbclient3]) + + # # tar command tests # |