Home page logo

bugtraq logo Bugtraq mailing list archives

Re: smbd remote file creation vulnerability
From: Simple Nomad <thegnome () nmrc org>
Date: Thu, 28 Jun 2001 09:20:28 -0400 (EDT)

On Thu, 28 Jun 2001, Olaf Kirch wrote:

On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote:
The limit on the netbios name length must include the ../../../ as a part
of the name, so you've blown 9 characters right there to get to the root
dir. Otherwise you could get to /etc/crontab or something and the exploit
would not require a symlink. So the file can be created remotely, but as
for the symlink that requires local access.

Don't rely too much on the length limit. You may not have to go all the
way to the root. For instance, several platforms I've seen have /var/tmp.
Often, there are also /var/log/foobar directories owned by some special
foobar user - break that account first then hop on and become root.

Assuming that creating a file with a .log extension in any of those
directories would give you an account remotely. Not that Michal and
several of us at BindView didn't look at that, but we didn't find anything
that lept out.

Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log
which points to /etc/passwd, but that still won't work under the Openwall
patch (just checked to make sure).

Does that patch keep an attacker from doing the following?

      mkdir /tmp/x
      ln -s /etc/passwd /tmp/x/.log

Actually *that* works on Openwall since the x dir doesn't have the sticky
bit set.

and sending a packet with a netbios name of ../../../tmp/x/
(which is 15 chars exactly)?

Dunno about samba in particular, because I have no desire to load it on
the system I have Openwall running on. I would suspect it would.

Or does it keep the attacker from doing this:

      ln /etc/passwd /tmp/x.log

(note the absence of -s).

Well it doesn't work on my machines because I have a nasty habit of
putting /tmp on it's own partition, as well as /var/log,
/var/spool/mqueue, and /home among others -- partially for security
purposes such as this. Default systems, I doubt it (see the section on
Restricted Link in /tmp at http://www.openwall.com/linux/README). If the
permissions allow the hard link with Openwall, odds are samba is the least
of your worries ;-)

-         Simple Nomad          -     "No rest for the Wicca'd"     -
-      thegnome () nmrc org        -                                   -
-  thegnome () razor bindview com  - www.nmrc.org   razor.bindview.com -

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]