Bugtraq mailing list archives
Re: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
Date: Thu, 14 Dec 2000 15:23:55 -0800
On Thu, 14 Dec 2000, Tozz wrote:
Symlink attack in (all?) Samba. - Local root walkthrough by Tozz ================================================================= Requirements: * Shell access or any other way to create symlinks * A running samba deamon * The username and/or password of a user named in the admin lists in one or more shares. * Brains are not required.
This is really well documented, and comes as no surprise to an educated Samba user. In order for your "exploit" to actually work, the administrator must have granted a person "admin user" privileges, after having read this in the documentation: This is a list of users who will be granted admin- istrative privileges on the share. This means that they will do all file operations as the super-user (root). You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permis- sions. and this: This parameter allows the Samba administrator to stop smbd from following symbolic links in a par- ticular share. Setting this parameter to "No" pre- vents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic link to /etc/passwd in their home directory for instance. However it will slow file- name lookups down slightly. Well shit, Wally, I guess we had better not give admin privs to untrusted people. The bottom line is that to execute this exploit, you must be trusted by the administrator, and thus you could probably get blanket sudo if you wanted it anyway. -jwb
Current thread:
- Symlink attack in (all?) Samba. - Local root walkthrough by Tozz Tozz (Dec 15)
- Re: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz Jeffrey W. Baker (Dec 16)