[21243] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (sarnold@wirex.com)
Thu Jun 28 16:49:23 2001
Date: Wed, 27 Jun 2001 17:12:47 -0700
From: sarnold@wirex.com
To: Joachim Blaabjerg <styx@mailbox.as>
Cc: bugtraq@securityfocus.com
Message-ID: <20010627171247.T4196@wirex.com>
Mail-Followup-To: Joachim Blaabjerg <styx@mailbox.as>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010626110804.58491b4c.styx@mailbox.as>; from styx@mailbox.as on Tue, Jun 26, 2001 at 11:08:04AM +0200
On Tue, Jun 26, 2001 at 11:08:04AM +0200, Joachim Blaabjerg wrote:
> > Appending to /etc/passwd has nothing to do with pam.
>
> No, not directly, but if your `su` uses PAM to authenticate users and PAM
> reacts to the spaces in the beginning of the passwd file, it surely has
> something to do with PAM. To check whether `su` uses PAM or not, try "ldd
> `which su`|grep libpam"
The fun thing, of course, is that it doesn't matter about the specifics
of how 'su' reacts when presented with this situation. This just
happened to be a very simple and provocative exploit. The attacked
target doesn't have to be /etc/passwd. This exploit could be re-written
trivially to use other files -- think 'cron', /root/.bash_profile,
/etc/bashrc, /etc/Muttrc, etc. All with at least one, probably more,
lines under control of an attacker.
Regardless of how anyone's 'su' reacts, upgrading samba to a fixed
version is very important.
Seth Arnold
