[33596] in bugtraq
Re: Samba 3.x + kernel 2.6.x local root vulnerability
daemon@ATHENA.MIT.EDU (Guille -bisho-)
Tue Feb 10 20:35:36 2004
From: Guille -bisho- <bisho@onirica.com>
To: Michal Medvecky <M.Medvecky@sh.cvut.cz>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20040210064528.GA21872@slovakia.sh.cvut.cz>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-KjCLPLQPh9F05pMBiwZ6"
Message-Id: <1076419902.8474.58.camel@localhost>
Mime-Version: 1.0
Date: Tue, 10 Feb 2004 14:31:42 +0100
--=-KjCLPLQPh9F05pMBiwZ6
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable
> You all still don't understand the problem.
>=20
> I have setuid smbmnt on the client side and one remote with smb share, I =
own.
>=20
> I create setuid binary on the share, and MOUNT THE SHARE under regular us=
er
> with uid!=3D0. Then run that binary and gain root privileges.
>=20
> Is it clear? This is not the issue with the remote server. It's just the
> 'tool' to misuse.
Ok. I understand now :) (And I'm able to reproduce it).
It works only on kernel 2.6.
Doing the same in a 2.4 kernel results in the share mounted with the
correct uid,gid and masks:
smbmount //machine/share /tmp/foo -o
username=3Dtest,fmask=3D1755,dmask=3D755,uid=3D0,gid=3D0,debug=3D0,workgrou=
p=3Dtest
Even trying to set uid=3D0 and gid=3D0 and the fmask to 1755 the share is
mounted in a safe way, without setuids bins and set with the user uid.
The kernel 2.6 does not honour the uid/gid and mounts the share with the
original uids and permisions, whatever the masks is set at mounting.
--=20
_ Guillermo P=E9rez -=3D] 10/02/2004 [=3D-
<=B7) - bisho@ ( onirica.com | eurielec.etsit.upm.es )
( \>
bisho! ""\\ :: Software Patents will kill Open Source ::
..........:: EuropeSwPatentFree: ::
:: http://europeswpatentfree.hispalinux.es/ ::
--=-KjCLPLQPh9F05pMBiwZ6
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBAKN0+ZlV1LzDULm4RAkE/AJ9ob8bGMFHVh5neMPpiso3UfFEKawCcDbKn
iJncrovg1au27we9E/7dzT4=
=maAI
-----END PGP SIGNATURE-----
--=-KjCLPLQPh9F05pMBiwZ6--
