lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1265413088.2392.31.camel@nr-pentest>
Date: Sat, 06 Feb 2010 00:38:07 +0100
From: Kingcope <kcope2@...glemail.com>
To: paul.szabo@...ney.edu.au
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Samba Remote Zero-Day Exploit

Hello Paul,

First and foremost I did not know about the configuration setting which
closes the bug when i posted the advisory. So this was my mistake.
But for the most servers which are not entirely hardened (and my
assumption is that this applies to many servers in internal networks)
the traversal can be a serious issue, because a samba user (even nobody)
can create the symlinks. It would in my point of view be more secure to
only allow administrators to create symlinks as it is intended.
Again I might be wrong with this thought.
I first audited Windows Server 2008 for the new SMB2 hardlinking
features. Symlinking on a windows server is possible but only when the
remotely logged in account is the Administrator. Creating symlinks to
paths outside the directory of the given share is not possible. However
accessing a symlink in a directory which points to for example c:\
is possible. I don't say that because Samba should have the same
semnatics as Windows, but because it's implemetation of handling remote
to local and local to remote symbolic links is more secure.
After failing in auditing the Windows servers on the potential
vulnerabilites I just gave samba a try and the default configuration
of my Ubuntu Desktop System and CentOS Server allowed me to conduct the
attack out of the box. Turning off symlink support in samba closes the
hole but then no access to symlinks created by the administrator is
possible or am I wrong?

With Respect,

Kingcope

Am Samstag, den 06.02.2010, 09:43 +1100 schrieb
paul.szabo@...ney.edu.au:
> Dear Dan,
> 
> > The bug here is that out-of-path symlinks are remotely writable. ...
> 
> You mean "creatable".
> 
> > ... the fact that he can *generate* the symlink breaks ...
> 
> Nothing breaks if the admin sets "wide links = no" for that share: the
> link is not followed.
> 
> > But Samba supports dropping a user into a path ...
> 
> I never noticed such support documented: references please?
> 
> > ... and it really does need to keep him there.
> 
> You cannot "break out" of shares with "wide links = no".
> 
> > ... Samba is supposed to match Windows semantics in general.
> 
> No please, do not dumb it down.
> 
> Cheers, Paul
> 
> Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney    Australia


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ