BugTraq Post: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

Jeremy Allison jeremy at valinux.com
Fri Dec 15 08:13:39 GMT 2000

On Fri, Dec 15, 2000 at 12:54:17AM -0500, Scott Gifford wrote:
> This was posted to BugTraq earlier today; thought I'd put a copy here
> in case anybody hadn't seen it.
> I don't think that this "attack" is particularly surprising.
> Basically, he is leveraging a Samba "admin user" account into a UNIX
> root account, using a symlink (created from a shell) to get outside of
> the share.
> It seems to me like a "leveraging root to get root" attack, but I
> guess if somebody had fileserver admins that were less trusted than
> their UNIX admins, it could be an issue.

Crackers must be getting desparate if they post this kind
of stuff. If you've got an admin user account you are already
root - why bother with all this pathetic stuff - just copy a
/bin/sh onto the share, logon locally and run it from there.

Sometimes I wonder about these people. Don't they realise
there are more creative things to do than re-arranging bits
on a disk when you already have root permission :-).


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list