Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: Simple Nomad <thegnome () nmrc org>
Date: Thu, 28 Jun 2001 09:20:28 -0400 (EDT)
On Thu, 28 Jun 2001, Olaf Kirch wrote:
On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote:The limit on the netbios name length must include the ../../../ as a part of the name, so you've blown 9 characters right there to get to the root dir. Otherwise you could get to /etc/crontab or something and the exploit would not require a symlink. So the file can be created remotely, but as for the symlink that requires local access.Don't rely too much on the length limit. You may not have to go all the way to the root. For instance, several platforms I've seen have /var/tmp. Often, there are also /var/log/foobar directories owned by some special foobar user - break that account first then hop on and become root.
Assuming that creating a file with a .log extension in any of those directories would give you an account remotely. Not that Michal and several of us at BindView didn't look at that, but we didn't find anything that lept out.
Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log which points to /etc/passwd, but that still won't work under the Openwall patch (just checked to make sure).Does that patch keep an attacker from doing the following? mkdir /tmp/x ln -s /etc/passwd /tmp/x/.log
Actually *that* works on Openwall since the x dir doesn't have the sticky bit set.
and sending a packet with a netbios name of ../../../tmp/x/ (which is 15 chars exactly)?
Dunno about samba in particular, because I have no desire to load it on the system I have Openwall running on. I would suspect it would.
Or does it keep the attacker from doing this: ln /etc/passwd /tmp/x.log (note the absence of -s).
Well it doesn't work on my machines because I have a nasty habit of putting /tmp on it's own partition, as well as /var/log, /var/spool/mqueue, and /home among others -- partially for security purposes such as this. Default systems, I doubt it (see the section on Restricted Link in /tmp at http://www.openwall.com/linux/README). If the permissions allow the hard link with Openwall, odds are samba is the least of your worries ;-) - Simple Nomad - "No rest for the Wicca'd" - - thegnome () nmrc org - - - thegnome () razor bindview com - www.nmrc.org razor.bindview.com -
Current thread:
- smbd remote file creation vulnerability Michal Zalewski (Jun 24)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability Jarno Huuskonen (Jun 26)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 26)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 27)
- Re: smbd remote file creation vulnerability Olaf Kirch (Jun 28)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 28)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Tomek Lipski (Jun 26)
- Re: smbd remote file creation vulnerability Wichert Akkerman (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability Steve Beattie (Jun 28)
- Re: smbd remote file creation vulnerability Phil Stracchino (Jun 28)
- Re: smbd remote file creation vulnerability Joachim Blaabjerg (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability sarnold (Jun 28)
- Re: smbd remote file creation vulnerability Joseph Nicholas Yarbrough (Jun 26)