Signature Detail

NETBIOS SMB CD...

This signature detects attempts to exploit a directory transversal vulnerability in the SMB protocol. Microsoft Windows 3.11 and Windows 95 Build 490.R6 are susceptible. Because SMB has no predefined current working directory, a cd command submitted to the SMBclient causes it to "remember" the directory and prepend it to all accessed file names. Attackers can send the command "cd..." to bypass the SMBchkpth and gain access to data outside the exported share.

Extended Description

Samba is a set of of programs that allow Windows® clients access to a Unix server's filespace and printers over NetBIOS. A directory traversal vulnerability exists in Microsoft's implementation of the SMB file and print sharing protocol for Windows 95 build 490.r6 and Windows for Workgroups. smbclient normally rejects '/../' sequences in user-supplied pathnames before submitting them to the server. This prevents an attacker from traversing the server's directory tree and accessing files which would normally be inaccessible. Because the check for '/../' is peformed by smbclient, the server assumes the client is filtering invalid input. However, a modified client can be made to accept the restricted '/../' sequences, appending these characters to filenames and submitting them as a request to the server. Since the server leaves this input validation up to the client, once the server is provided with path information which contains '/../', it assumes it to be valid. As a result, a directory traversal becomes possible, granting an attacker access to normally-restricted portions of the host's filesystem. This can lead to the disclosure of security-related information, leaving the host open to further compromise.

Affected Products

• Microsoft Windows 3.11
• Microsoft Windows 95 Build 490.R6

References

• BugTraq: 1884