[18095] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Symlink attack in (all?) Samba. - Local root walkthrough by

daemon@ATHENA.MIT.EDU (Jeffrey W. Baker)
Fri Dec 15 16:13:28 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.31.0012141519570.224-100000@heat.dci>
Date:         Thu, 14 Dec 2000 15:23:55 -0800
Reply-To: "Jeffrey W. Baker" <jwbaker@ACM.ORG>
From: "Jeffrey W. Baker" <jwbaker@ACM.ORG>
X-To:         Tozz <tozz@HACKERS4HACKERS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <002a01c0655a$eae19c10$0100000a@loesje>

On Thu, 14 Dec 2000, Tozz wrote:

> Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
> =================================================================
>
> Requirements:
>
> * Shell access or any other way to create symlinks
> * A running samba deamon
> * The username and/or password of a user named in the
>   admin lists in one or more shares.
> * Brains are not required.

This is really well documented, and comes as no surprise to an educated
Samba user.  In order for your "exploit" to actually work, the
administrator must have granted a person "admin user" privileges, after
having read this in the documentation:

              This  is a list of users who will be granted admin-
              istrative privileges on the share. This means  that
              they  will do all file operations as the super-user
              (root).

              You should use this option very carefully,  as  any
              user  in this list will be able to do anything they
              like on the share,  irrespective  of  file  permis-
              sions.

and this:

              This parameter allows the  Samba  administrator  to
              stop  smbd  from following symbolic links in a par-
              ticular share. Setting this parameter to "No"  pre-
              vents any file or directory that is a symbolic link
              from being followed (the user will get  an  error).
              This  option  is  very  useful  to  stop users from
              adding a symbolic link to /etc/passwd in their home
              directory for instance.  However it will slow file-
              name lookups down slightly.

Well shit, Wally, I guess we had better not give admin privs to untrusted
people.

The bottom line is that to execute this exploit, you must be trusted by
the administrator, and thus you could probably get blanket sudo if you
wanted it anyway.

-jwb
home help back first fref pref prev next nref lref last post