Full Disclosure mailing list archives
Re: Samba Remote Zero-Day Exploit
From: Kingcope <kcope2 () googlemail com>
Date: Sat, 06 Feb 2010 00:38:07 +0100
Hello Paul, First and foremost I did not know about the configuration setting which closes the bug when i posted the advisory. So this was my mistake. But for the most servers which are not entirely hardened (and my assumption is that this applies to many servers in internal networks) the traversal can be a serious issue, because a samba user (even nobody) can create the symlinks. It would in my point of view be more secure to only allow administrators to create symlinks as it is intended. Again I might be wrong with this thought. I first audited Windows Server 2008 for the new SMB2 hardlinking features. Symlinking on a windows server is possible but only when the remotely logged in account is the Administrator. Creating symlinks to paths outside the directory of the given share is not possible. However accessing a symlink in a directory which points to for example c:\ is possible. I don't say that because Samba should have the same semnatics as Windows, but because it's implemetation of handling remote to local and local to remote symbolic links is more secure. After failing in auditing the Windows servers on the potential vulnerabilites I just gave samba a try and the default configuration of my Ubuntu Desktop System and CentOS Server allowed me to conduct the attack out of the box. Turning off symlink support in samba closes the hole but then no access to symlinks created by the administrator is possible or am I wrong? With Respect, Kingcope Am Samstag, den 06.02.2010, 09:43 +1100 schrieb paul.szabo () sydney edu au:
Dear Dan,The bug here is that out-of-path symlinks are remotely writable. ...You mean "creatable".... the fact that he can *generate* the symlink breaks ...Nothing breaks if the admin sets "wide links = no" for that share: the link is not followed.But Samba supports dropping a user into a path ...I never noticed such support documented: references please?... and it really does need to keep him there.You cannot "break out" of shares with "wide links = no".... Samba is supposed to match Windows semantics in general.No please, do not dumb it down. Cheers, Paul Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Samba Remote Zero-Day Exploit Kingcope (Feb 04)
- Re: Samba Remote Zero-Day Exploit Kingcope (Feb 05)
- <Possible follow-ups>
- Re: Samba Remote Zero-Day Exploit paul . szabo (Feb 05)
- Re: Samba Remote Zero-Day Exploit Dan Kaminsky (Feb 05)
- Re: Samba Remote Zero-Day Exploit paul . szabo (Feb 05)
- Re: Samba Remote Zero-Day Exploit Kingcope (Feb 05)
- Re: Samba Remote Zero-Day Exploit paul . szabo (Feb 05)
- Re: Samba Remote Zero-Day Exploit Thierry Zoller (Feb 06)
- Re: Samba Remote Zero-Day Exploit Dan Kaminsky (Feb 05)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 06)
- Re: Samba Remote Zero-Day Exploit Dan Kaminsky (Feb 06)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 08)
- Re: Samba Remote Zero-Day Exploit Dan Kaminsky (Feb 06)
- Re: Samba Remote Zero-Day Exploit Michael Wojcik (Feb 09)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 09)
- Re: Samba Remote Zero-Day Exploit Michael Wojcik (Feb 09)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 10)