On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote: > The limit on the netbios name length must include the ../../../ as a part > of the name, so you've blown 9 characters right there to get to the root > dir. Otherwise you could get to /etc/crontab or something and the exploit > would not require a symlink. So the file can be created remotely, but as > for the symlink that requires local access. Don't rely too much on the length limit. You may not have to go all the way to the root. For instance, several platforms I've seen have /var/tmp. Often, there are also /var/log/foobar directories owned by some special foobar user - break that account first then hop on and become root. > Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log > which points to /etc/passwd, but that still won't work under the Openwall > patch (just checked to make sure). Does that patch keep an attacker from doing the following? mkdir /tmp/x ln -s /etc/passwd /tmp/x/.log and sending a packet with a netbios name of ../../../tmp/x/ (which is 15 chars exactly)? Or does it keep the attacker from doing this: ln /etc/passwd /tmp/x.log (note the absence of -s). Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 14:48:05 PDT