Home page logo

bugtraq logo Bugtraq mailing list archives

Re: smbd remote file creation vulnerability
From: sarnold () wirex com
Date: Wed, 27 Jun 2001 17:12:47 -0700

On Tue, Jun 26, 2001 at 11:08:04AM +0200, Joachim Blaabjerg wrote:
Appending to /etc/passwd has nothing to do with pam.

No, not directly, but if your `su` uses PAM to authenticate users and PAM
reacts to the spaces in the beginning of the passwd file, it surely has
something to do with PAM. To check whether `su` uses PAM or not, try "ldd
`which su`|grep libpam"

The fun thing, of course, is that it doesn't matter about the specifics
of how 'su' reacts when presented with this situation. This just
happened to be a very simple and provocative exploit. The attacked
target doesn't have to be /etc/passwd. This exploit could be re-written
trivially to use other files -- think 'cron', /root/.bash_profile,
/etc/bashrc, /etc/Muttrc, etc. All with at least one, probably more,
lines under control of an attacker.

Regardless of how anyone's 'su' reacts, upgrading samba to a fixed
version is very important.

Seth Arnold

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]