Re: smbd remote file creation vulnerability

From: Simple Nomad (thegnomeat_private)
Date: Thu Jun 28 2001 - 06:20:28 PDT

Next message: Richard Atterer: "Re: crypto flaw in secure mail standards"

Previous message: Olaf Kirch: "Re: smbd remote file creation vulnerability"
In reply to: Olaf Kirch: "Re: smbd remote file creation vulnerability"
Next in thread: Wichert Akkerman: "Re: smbd remote file creation vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 28 Jun 2001, Olaf Kirch wrote:

> On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote:
> > The limit on the netbios name length must include the ../../../ as a part
> > of the name, so you've blown 9 characters right there to get to the root
> > dir. Otherwise you could get to /etc/crontab or something and the exploit
> > would not require a symlink. So the file can be created remotely, but as
> > for the symlink that requires local access.
>
> Don't rely too much on the length limit. You may not have to go all the
> way to the root. For instance, several platforms I've seen have /var/tmp.
> Often, there are also /var/log/foobar directories owned by some special
> foobar user - break that account first then hop on and become root.

Assuming that creating a file with a .log extension in any of those
directories would give you an account remotely. Not that Michal and
several of us at BindView didn't look at that, but we didn't find anything
that lept out.

> > Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log
> > which points to /etc/passwd, but that still won't work under the Openwall
> > patch (just checked to make sure).
>
> Does that patch keep an attacker from doing the following?
>
> 	mkdir /tmp/x
> 	ln -s /etc/passwd /tmp/x/.log

Actually *that* works on Openwall since the x dir doesn't have the sticky
bit set.

> and sending a packet with a netbios name of ../../../tmp/x/
> (which is 15 chars exactly)?

Dunno about samba in particular, because I have no desire to load it on
the system I have Openwall running on. I would suspect it would.

> Or does it keep the attacker from doing this:
>
> 	ln /etc/passwd /tmp/x.log
>
> (note the absence of -s).

Well it doesn't work on my machines because I have a nasty habit of
putting /tmp on it's own partition, as well as /var/log,
/var/spool/mqueue, and /home among others -- partially for security
purposes such as this. Default systems, I doubt it (see the section on
Restricted Link in /tmp at http://www.openwall.com/linux/README). If the
permissions allow the hard link with Openwall, odds are samba is the least
of your worries ;-)

-         Simple Nomad          -     "No rest for the Wicca'd"     -
-      thegnomeat_private        -                                   -
-  thegnomeat_private  - www.nmrc.org   razor.bindview.com -

Next message: Richard Atterer: "Re: crypto flaw in secure mail standards"
Previous message: Olaf Kirch: "Re: smbd remote file creation vulnerability"
In reply to: Olaf Kirch: "Re: smbd remote file creation vulnerability"
Next in thread: Wichert Akkerman: "Re: smbd remote file creation vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 15:01:52 PDT