[21247] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Thu Jun 28 17:47:31 2001
Date: Thu, 28 Jun 2001 12:19:32 +0200
From: Olaf Kirch <okir@caldera.de>
To: Simple Nomad <thegnome@nmrc.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20010628121932.B26878@monad.caldera.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0106261615280.27194-100000@www.nmrc.org>; from thegnome@nmrc.org on Tue, Jun 26, 2001 at 04:46:01PM -0400
On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote:
> The limit on the netbios name length must include the ../../../ as a part
> of the name, so you've blown 9 characters right there to get to the root
> dir. Otherwise you could get to /etc/crontab or something and the exploit
> would not require a symlink. So the file can be created remotely, but as
> for the symlink that requires local access.
Don't rely too much on the length limit. You may not have to go all the
way to the root. For instance, several platforms I've seen have /var/tmp.
Often, there are also /var/log/foobar directories owned by some special
foobar user - break that account first then hop on and become root.
> Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log
> which points to /etc/passwd, but that still won't work under the Openwall
> patch (just checked to make sure).
Does that patch keep an attacker from doing the following?
mkdir /tmp/x
ln -s /etc/passwd /tmp/x/.log
and sending a packet with a netbios name of ../../../tmp/x/
(which is 15 chars exactly)?
Or does it keep the attacker from doing this:
ln /etc/passwd /tmp/x.log
(note the absence of -s).
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
