Full Disclosure mailing list archives
Re: Samba Remote Zero-Day Exploit
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Tue, 9 Feb 2010 21:53:38 +0100
Michael Wojcik wrote:
From: Stefan Kanthak [mailto:stefan.kanthak () nexgo de] Sent: Monday, 08 February, 2010 16:33 Michael Wojcik wrote:From: Stefan Kanthak [mailto:stefan.kanthak () nexgo de] Sent: Saturday, 06 February, 2010 08:21 Since Windows 2000 NTFS supports "junctions", which pretty much resemble Unix symlinks, but only for directories. See <http://support.microsoft.com/kb/205524/en-us>And at least since Vista, it also supports symlinks, which are designeds/at least// [ well-known facts snipped ]So ... your original note about junctions did not cover "well-known
~~~~~~~~~~~~~
facts", but my note about other reparse point types did?
It's best practice (see http://www.ietf.org/rfc/rfc1855.txt) not to include unreferenced parts of the message to be answered. There's no need to repeat undisputed and undoubtly correct facts.
The Windows SMB server apparently won't cross reparse points,though,so there's no equivalent vulnerability.NO, Windows SMB server crosses reparse points!Not in my testing, at least not for junctions and symlinks.
I'm using junctions on Windows 2000/XP/2003 at least since 2002, and of course they are traversed on shares too!
User with requisite authority could traverse the junctions and symlinks locally, but not remotely via a share.
Test again!
But as Dan Kaminsky pointed out, you need to have administrativerightsto remotely create a junction on an SMB share, so the non-admin user cant get himself access to files outside a share he's allowed to access.Unless the reparse point already exists.
Of course, but that's not the question here.
This particular exploit happened to involve a remote user creating a symlink.
Correct. But to accomplish that, the "unix extensions" need to be enabled in the first place.
That doesn't mean there are no other imaginable vulnerabilities stemming from filesystem objects that violate the notional tree structure of the directory hierarchy. The obvious one: someone shares a branch of the directory tree in the belief that clients only have access to that part of the tree, but the tree already contains a convenience symlink (Unix) or reparse point (Windows) that points elsewhere in the hierarchy. That's one reason why Samba has had the "wide links=no" option since, what, the mid-1990s.
I'm using Samba since 1993 and know that quite well.
You surely can find my name in some places in the docs and other files
of the distribution too.-)
Stefan
PS: would you mind to setup your Exchange Server correctly? It rebreaks
cited lines and destroys correct the quoting.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Samba Remote Zero-Day Exploit, (continued)
- Re: Samba Remote Zero-Day Exploit Kingcope (Feb 05)
- Re: Samba Remote Zero-Day Exploit paul . szabo (Feb 05)
- Re: Samba Remote Zero-Day Exploit Thierry Zoller (Feb 06)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 06)
- Re: Samba Remote Zero-Day Exploit Dan Kaminsky (Feb 06)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 08)
- Re: Samba Remote Zero-Day Exploit Dan Kaminsky (Feb 06)
- Re: Samba Remote Zero-Day Exploit Michael Wojcik (Feb 09)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 09)
- Re: Samba Remote Zero-Day Exploit Michael Wojcik (Feb 09)
- Re: Samba Remote Zero-Day Exploit Stefan Kanthak (Feb 10)
- Re: Samba Remote Zero-Day Exploit paul . szabo (Feb 06)
- Re: Samba Remote Zero-Day Exploit Krzysztof Halasa (Feb 09)
- Re: Samba Remote Zero-Day Exploit paul . szabo (Feb 06)
- Re: Samba Remote Zero-Day Exploit David Jacoby (Feb 10)