Hi FD,
This is not a zero-day vulnerability in the concept of a programmatic
Flaw. But if no one, or the majority of all Samba users never knew that
This option was available, or knew that this functionality was enabled
by default I think this problem should still be highlighted in the way
that
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Saturday, 06 February, 2010 08:21
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff
on Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation
Thierry Zoller thie...@zoller.lu writes:
Facts :
- Several distributions run with vulnerable settings per default
if there is a misconfiguration it is part of the vendor.
- Your not supposed to be able to traverse dirs.
What's wrong with creating $HOME/tmp - /tmp/$USER (not necessarily
Michael Wojcik wrote:
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Saturday, 06 February, 2010 08:21
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff
on Windows,
What exactly do you mean?
Traversing symlinks on the
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Monday, 08 February, 2010 16:33
Michael Wojcik wrote:
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent: Saturday, 06 February, 2010 08:21
Since Windows 2000 NTFS supports junctions, which pretty much
resemble
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
Stefan
___
Full-Disclosure - We believe in it.
http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
Hi Paul,
Facts :
- Several distributions run with vulnerable settings per default
if there is a misconfiguration it is part of the vendor.
- Your not supposed to be able to traverse dirs.
Consequence it is a vulnerability, whether you can mitigate it is
a different piece of cake.
Next time
Dear Thierry,
Of course you could disable ... but is it by enabled default?
Hmm... looking at
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WRITEABLE
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#READONLY
it seems that writeable is off by default: a Samba
Dan Kaminsky wrote:
[...]
(On a side note, you're not going to see this sort of symlink stuff on
Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of wide symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports junctions, which
You need admin rights to create junctions. At that point, path
constraints aren't relevant, just psexec and get not only arbitrary
path but arbitrary code.
The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Paul,
seems like u get personal pissed about the situation or you are not
able to see that this is obviously a problem. But maybe you can
enlighten everybody how it is possible per default not to
traversal a directory by cd but doing this via
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The default setting is writeable = no. If you change that, then
you are responsible for reading the docs and setting secure
options.
This is an interesting point of view. However u haven't answered my
question. Is there an option to enable a
Dear Marx,
This is an interesting point of view.
I had replied to you personally only, you should not have posted my
reply to any mailing lists. But since you posted... yes my views are
interesting, should be studied and followed, for enlightenment :-)
However u haven't answered my question.
I find it puzzling how this discussion, including the official Samba
response
http://www.samba.org/samba/news/symlink_attack.html
fails to consider whether the mentioned configuration (when admin sets
non-default writeable = yes but leaving default wide links = yes)
allows write access to the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I had replied to you personally only, you should not have posted
my
reply to any mailing lists. But since you posted...
I'm very sorry about this. This may sound odd, but it wasn't my
idea of putting a private mail public. This was not an act of
On Feb 6, 2010, at 5:26 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
Really?
Dear Kingcope,
The samba server follows symlinks by default. There are options
(follow symlinks, wide links) for turning it off:
http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-SECT-1.2
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FOLLOWSYMLINKS
Dear Dan,
The bug here is that out-of-path symlinks are remotely writable. ...
You mean creatable.
... the fact that he can *generate* the symlink breaks ...
Nothing breaks if the admin sets wide links = no for that share: the
link is not followed.
But Samba supports dropping a user into a
The bug here is that out-of-path symlinks are remotely writable. If a
pre-existing symlink is there, it's not a problem. But Kingcope's bug is
legit, the fact that he can *generate* the symlink breaks the entire path
concept of SMB shares. As long as cd .. wasn't working, symlink ..
mustn't
Hello Paul,
First and foremost I did not know about the configuration setting which
closes the bug when i posted the advisory. So this was my mistake.
But for the most servers which are not entirely hardened (and my
assumption is that this applies to many servers in internal networks)
the
Dear Kingcope,
Turning off symlink support in samba closes the hole but then no
access to symlinks created by the administrator is possible ...
Correct.
Maybe what you want is for Samba to add and support an option like
allow create symlink (with default no). I myself do not think it
would be
Hello list,
this is Kingcope.
You can view a demonstration of the zeroday entitled
'Samba Remote Zero-Day Exploit' with full details
on youtube. The bug is a logic fuckup.
http://www.youtube.com/watch?v=NN50RtZ2N74
I added some nice greek tune so turn your speakers on (or off).
Greetings to
23 matches
Mail list logo
