Home page logo

bugtraq logo Bugtraq mailing list archives

Re: smbd remote file creation vulnerability
From: Olaf Kirch <okir () caldera de>
Date: Thu, 28 Jun 2001 12:19:32 +0200

On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote:
The limit on the netbios name length must include the ../../../ as a part
of the name, so you've blown 9 characters right there to get to the root
dir. Otherwise you could get to /etc/crontab or something and the exploit
would not require a symlink. So the file can be created remotely, but as
for the symlink that requires local access.

Don't rely too much on the length limit. You may not have to go all the
way to the root. For instance, several platforms I've seen have /var/tmp.
Often, there are also /var/log/foobar directories owned by some special
foobar user - break that account first then hop on and become root.

Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log
which points to /etc/passwd, but that still won't work under the Openwall
patch (just checked to make sure).

Does that patch keep an attacker from doing the following?

        mkdir /tmp/x
        ln -s /etc/passwd /tmp/x/.log

and sending a packet with a netbios name of ../../../tmp/x/
(which is 15 chars exactly)?

Or does it keep the attacker from doing this:

        ln /etc/passwd /tmp/x.log

(note the absence of -s).

Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.            

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]