[21217] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (Simple Nomad)
Wed Jun 27 18:02:59 2001
Date: Tue, 26 Jun 2001 16:46:01 -0400 (EDT)
From: Simple Nomad <thegnome@nmrc.org>
To: <bugtraq@securityfocus.com>
In-Reply-To: <20010626145337.A3377@hq.alert.sk>
Message-ID: <Pine.LNX.4.33.0106261615280.27194-100000@www.nmrc.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
The limit on the netbios name length must include the ../../../ as a part
of the name, so you've blown 9 characters right there to get to the root
dir. Otherwise you could get to /etc/crontab or something and the exploit
would not require a symlink. So the file can be created remotely, but as
for the symlink that requires local access.
Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log
which points to /etc/passwd, but that still won't work under the Openwall
patch (just checked to make sure).
- Simple Nomad - "No rest for the Wicca'd" -
- thegnome@nmrc.org - -
- thegnome@razor.bindview.com - www.nmrc.org razor.bindview.com -
On Tue, 26 Jun 2001, Pavol Luptak wrote:
> On Tue, Jun 26, 2001 at 09:53:29AM +0300, Jarno Huuskonen wrote:
> > On Mon, Jun 25, Pavol Luptak wrote:
> > > Linux kernels with openwall patch (with restricted links in /tmp) are
> > > imunne to this type of attack (following symlinks does not work, link
> > > owner does not match with file's owner).
> >
> > The symlink restrictions work only in /tmp (mode 1777) directories, so
> > making the symlink in your own homedir still works (should work).
>
> Yes, the symlink does not have to be in /tmp, but you have to ensure
> the path to your symlink in your own homedir is enough short to fill in
> NetBIOS name (about 15 characters).
> --
> _______________________________________________________________________
> [wilder@hq.alert.sk] [http://hq.alert.sk/~wilder] [talker: ttt.sk 5678]
>
