lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 9 Feb 2010 21:53:38 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Cc: Michael Wojcik <Michael.Wojcik@...rofocus.com>
Subject: Re: Samba Remote Zero-Day Exploit

Michael Wojcik wrote:

>> From: Stefan Kanthak [mailto:stefan.kanthak@...go.de]
>> Sent: Monday, 08 February, 2010 16:33
>> 
>> Michael Wojcik wrote:
>> 
>> >> From: Stefan Kanthak [mailto:stefan.kanthak@...go.de]
>> >> Sent: Saturday, 06 February, 2010 08:21
>> >>
>> >> Since Windows 2000 NTFS supports "junctions", which pretty much
>> >> resemble Unix symlinks, but only for directories.
>> >> See <http://support.microsoft.com/kb/205524/en-us>
>> >
>> > And at least since Vista, it also supports symlinks, which are
>> > designed
>> 
>> s/at least//
>> [ well-known facts snipped ]
>
> So ... your original note about junctions did not cover "well-known
              ~~~~~~~~~~~~~
> facts", but my note about other reparse point types did?

It's best practice (see http://www.ietf.org/rfc/rfc1855.txt) not to
include unreferenced parts of the message to be answered. There's no
need to repeat undisputed and undoubtly correct facts.

>> > The Windows SMB server apparently won't cross reparse points,
>though,
>> > so there's no equivalent vulnerability.
>> 
>> NO, Windows SMB server crosses reparse points!
>
> Not in my testing, at least not for junctions and symlinks.

I'm using junctions on Windows 2000/XP/2003 at least since 2002, and
of course they are traversed on shares too!

> User with
> requisite authority could traverse the junctions and symlinks locally,
> but not remotely via a share.

Test again!

>> But as Dan Kaminsky pointed out, you need to have administrative
>rights
>> to remotely create a junction on an SMB share, so the non-admin user
>> cant get himself access to files outside a share he's allowed to
>> access.
>
> Unless the reparse point already exists.

Of course, but that's not the question here.

> This particular exploit happened to involve a remote user creating a
> symlink.

Correct. But to accomplish that, the "unix extensions" need to be
enabled in the first place.

> That doesn't mean there are no other imaginable vulnerabilities
> stemming from filesystem objects that violate the notional tree
> structure of the directory hierarchy.
>
> The obvious one: someone shares a branch of the directory tree in the
> belief that clients only have access to that part of the tree, but the
> tree already contains a convenience symlink (Unix) or reparse point
> (Windows) that points elsewhere in the hierarchy. That's one reason why
> Samba has had the "wide links=no" option since, what, the mid-1990s.

I'm using Samba since 1993 and know that quite well.
You surely can find my name in some places in the docs and other files
of the distribution too.-)

Stefan

PS: would you mind to setup your Exchange Server correctly? It rebreaks
    cited lines and destroys correct the quoting.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ