The Samba-Bugzilla – Bug 6478
smbclient interpolates % character in remote file name; CVE-2009-1886
Last modified: 2012-03-17 00:06:44 UTC
Hi, I came across this issue in this binary:
rnissl@corei7:~> smbclient -V
To reproduce the issue, execute a command like that (the file in question aa%3Fbb shall exist on the remote server):
rnissl@corei7:~> echo 'get aa%3Fbb' | smbclient '//nb_merlin/c$' geheim -U administrator -W nb_merlin -I 192.168.101.99
Domain=[FEE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \aa0,000000bb
See that %3F got interpolated to 0,000000.
The file can be retrieved by doubling the % but the retrieved file contains then %% in file name. As a workaround, one has to specify both remote and local filename, e. g. like that: get aa%%3Fbb aa%3Fbb
More obvious is a put:
smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)
I came across this issue after updating a SuSE 9.1 system to openSUSE 11.1. Another system with openSUSE 10.3, running 3.0.28 doesn't show this issue.
Created attachment 4293 [details]
Patch for 3.2
Can you try this patch?
This is a 3.2 only issue, in 3.3 and beyond it's already fixed.
the changes look ok to me. I hope, the openSUSE people release an updated samba_client package soon for testing.
This one made the recent security releases. Fixed now.