----- Original Message ----- From: "Optyx - Uberhax0r Communications" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Selasa, 31 Oktober 2000 0:27 Subject: Samba 2.0.7 SWAT vulnerabilities > **************************************************************************** ** > the original writeup can be found at http://www.uberhax0r.net/~miah/swat > along with all the code mentioned in this advisory > **************************************************************************** ** > > The program swat included in the samba distribution allows username and > password bruteforcing. An attacker can easily generate userlists and then > bruteforce their passwords. Comments in the source code show that somebody > tried to prevent this from happening[1]. > > The problem occurs when a user types in the wrong password. If swat gets a > valid username, but incorrect password it errors with: > > 2second pause > > 401 Authorization Required > > You must be authenticated to use this service. > > If swat gets a invalid username / password: > > NO PAUSE > > 401 Bad Authorization > > username/password must be supplied > > The following code is written by t12. It will generate a list of valid > usernames and then brute force passwords for those usernames. It has been > tested on freebsd. > > http://www.uberhax0r.net/~miah/swat/code/flyswatter.c > > Obviously, if the username/password are correct you get logged in. > > What makes this even worse is that swat does no logging. However; if > logging[2] is enabled a temp race exists. Swat does not check for file > existence before hand and it overwrites the file without regret. What > makes this even worse is swat will log *any* input it gets into this log > file. So for example we have local shell on a system running swat but want > root we simply: > > ln -s /tmp/cgi.log /etc/passwd > > telnet localhost 901 > --enter the following-- > rootuser::0:0::/:/bin/bash > --hang up the connection-- > > We now have the following entry in our /etc/passwd file: > [Date: Mon, 23 Oct 2000 16:03:13 GMT localhost.localdomain (127.0.0.1)] > rootuser::0:0::/:/bin/bash > > You could also use this shell script > http://www.uberhax0r.net/~miah/swat/code/swat-exp.sh > or if you want it in C > http://www.uberhax0r.net/~miah/swat/code/swat-exp.c > also precompiled for linux > http://www.uberhax0r.net/~miah/swat/code/swat-exp.linux (code by optyx) > > You can also download a fixed cgi.c > http://www.uberhax0r.net/~miah/swat/code/cgi.c.fixed (make your own damned > diff) (fix by optyx) > > You can now su to that user. *NOTE* this will destroy the passwd file. Now > you might be thinking "but if the /tmp/cgi.log exists, how can a user > overwrite it with a symlink?". The answer: Why bother! The cgi.log file > contains everything the users webbrowser sent back to it including their > login/password. > > The Authorization: Basic entries have username:password encoded in base64 > in them. Most of the time the swat administrator will login as root to do > the changes to the smb.conf, so getting root is easy. You can run the > gimme-login.sh script to get a list of logins from the cgi.log. > > Swat is also vulnerable to a DoS attack. Anybody can perform this. Simply > login to swat with a improper username and password, but change the > default url from "hostname:901" to somthing like > "hostname:901?somerandomfile". Swat will error with "Authentication > Required"(even with valid accounts) and inetd will restart it. Using > netscape, netscape will retry to get the file and will eventually cause > the inetd daemon to shutdown swat for 10 minutes (dependent on > inetd configuration, this is tested on linux redhat 6.2) > > [1] In the cgi.c file the following entry exists: > Line 349/367 > /* > * Always give the same error so a cracker > * cannot tell why we fail. > */ > > The person that wrote this code obviously didn't check their work to well. > > [2] Logging is enabled by changing samba-2.0.7/source/web/cgi.c's "#define > CGI_LOGGING 0" to "#define CGI_LOGGING 1". Some systems may have this > by default, otherwise its a tweak the sysadmin will most likely have to > do. > > credit to miah for discovering everything and t12 and optyx for the > code. > > **************************************************************************** * > Uberhax0r Communications, putting bullets in mullets since '96 > -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
