diff options
author | Volker Lendecke <vl@samba.org> | 2022-10-15 14:09:55 +0200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-10-25 10:31:34 +0000 |
commit | c770b7872daae21e5ead57374707d7ac334c8f69 (patch) | |
tree | 73d90fa6b305cde62b32fb01f370b855467c9aa1 /source3/script/tests | |
parent | dc650bde6f97ea63d6105ead874b0249307db13b (diff) | |
download | samba-c770b7872daae21e5ead57374707d7ac334c8f69.tar.gz |
CVE-2022-3592 torture3: Show that our symlink traversal checks are insecure
This test shows that we don't properly check whether symlink targets
are inside the exported share. Linking to <share-root>a/etc makes us
loop back into filename_convert_dirfsp_nosymlink() with /etc as a
directory name.
On Linux systems with openat2(RESOLVE_NO_SYMLINKS) we pass "/etc"
directly into that call after some checks for "."/".." as invalid file
name components. "/etc" is okay for openat2(), but this test must also
succeed on systems without RESOLVE_NO_SYMLINKS (sn-devel-184 for
example). On systems without RESOLVE_NO_SYMLINKS split up the path
"/etc" into path components, in this case "" and "etc". So we pass ""
down to openat(), which correctly fails with ENOENT.
Summary: Only with RESOLVE_NO_SYMLINKS we're hit by bug 15207, and
this test shows by expecting CONNECTION_DISCONNECTED that we violate
the internal assumption of empty path components with an unexpected
symlink target, making it testable on systems with and without
RESOLVE_NO_SYMLINKS.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl@samba.org>
Diffstat (limited to 'source3/script/tests')
-rwxr-xr-x | source3/script/tests/test_symlink_traversal_smb2.sh | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/source3/script/tests/test_symlink_traversal_smb2.sh b/source3/script/tests/test_symlink_traversal_smb2.sh index efd4353c533..08929f0962f 100755 --- a/source3/script/tests/test_symlink_traversal_smb2.sh +++ b/source3/script/tests/test_symlink_traversal_smb2.sh @@ -144,6 +144,9 @@ chmod 0 "$dir_outside_share_noperms" mkdir "dir_inside_share_noperms/noperm_subdir_exists" touch "dir_inside_share_noperms/noperm_subdir_exists/noperm_subdir_file_exists" chmod 0 "dir_inside_share_noperms" + + # Symlink pointing out of the share + ln -s "$share_test_dir"a"/etc" x ) # @@ -345,6 +348,7 @@ test_symlink_traversal_SMB2() smbclient_expect_error "get" "symlink_to_dir_exists/subdir_exists" "" "NT_STATUS_FILE_IS_A_DIRECTORY" || return 1 smbclient_expect_error "get" "symlink_to_dir_exists/subdir_exists/noexist1" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 smbclient_expect_error "get" "symlink_to_dir_exists/subdir_exists/noexist1/noexist2" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 + smbclient_expect_error "get" "x/passwd" "passwd" "NT_STATUS_CONNECTION_DISCONNECTED" || return 1 # # Test paths within share with no permissions. |