lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Feb 2004 14:31:42 +0100
From: Guille -bisho- <bisho@...rica.com>
To: Michal Medvecky <M.Medvecky@...cvut.cz>
Cc: bugtraq@...urityfocus.com
Subject: Re: Samba 3.x + kernel 2.6.x local root vulnerability

> You all still don't understand the problem.
> 
> I have setuid smbmnt on the client side and one remote with smb share, I own.
> 
> I create setuid binary on the share, and MOUNT THE SHARE under regular user
> with uid!=0. Then run that binary and gain root privileges.
> 
> Is it clear? This is not the issue with the remote server. It's just the
> 'tool' to misuse.

Ok. I understand now :) (And I'm able to reproduce it).

It works only on kernel 2.6.
Doing the same in a 2.4 kernel results in the share mounted with the
correct uid,gid and masks:

smbmount //machine/share /tmp/foo -o
username=test,fmask=1755,dmask=755,uid=0,gid=0,debug=0,workgroup=test

Even trying to set uid=0 and gid=0 and the fmask to 1755 the share is
mounted in a safe way, without setuids bins and set with the user uid.

The kernel 2.6 does not honour the uid/gid and mounts the share with the
original uids and permisions, whatever the masks is set at mounting.

-- 
        _     Guillermo Pérez    -=] 10/02/2004 [=-
       <·)     - bisho@ ( onirica.com | eurielec.etsit.upm.es )
       ( \>
bisho!  ""\\  ::        Software Patents will kill Open Source        ::
   ..........::                 EuropeSwPatentFree:                   ::
   ::            http://europeswpatentfree.hispalinux.es/             ::

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists