On Thu, 28 Jun 2001, Olaf Kirch wrote: > On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote: > > The limit on the netbios name length must include the ../../../ as a part > > of the name, so you've blown 9 characters right there to get to the root > > dir. Otherwise you could get to /etc/crontab or something and the exploit > > would not require a symlink. So the file can be created remotely, but as > > for the symlink that requires local access. > > Don't rely too much on the length limit. You may not have to go all the > way to the root. For instance, several platforms I've seen have /var/tmp. > Often, there are also /var/log/foobar directories owned by some special > foobar user - break that account first then hop on and become root. Assuming that creating a file with a .log extension in any of those directories would give you an account remotely. Not that Michal and several of us at BindView didn't look at that, but we didn't find anything that lept out. > > Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log > > which points to /etc/passwd, but that still won't work under the Openwall > > patch (just checked to make sure). > > Does that patch keep an attacker from doing the following? > > mkdir /tmp/x > ln -s /etc/passwd /tmp/x/.log Actually *that* works on Openwall since the x dir doesn't have the sticky bit set. > and sending a packet with a netbios name of ../../../tmp/x/ > (which is 15 chars exactly)? Dunno about samba in particular, because I have no desire to load it on the system I have Openwall running on. I would suspect it would. > Or does it keep the attacker from doing this: > > ln /etc/passwd /tmp/x.log > > (note the absence of -s). Well it doesn't work on my machines because I have a nasty habit of putting /tmp on it's own partition, as well as /var/log, /var/spool/mqueue, and /home among others -- partially for security purposes such as this. Default systems, I doubt it (see the section on Restricted Link in /tmp at http://www.openwall.com/linux/README). If the permissions allow the hard link with Openwall, odds are samba is the least of your worries ;-) - Simple Nomad - "No rest for the Wicca'd" - - thegnomeat_private - - - thegnomeat_private - www.nmrc.org razor.bindview.com -
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 15:01:52 PDT