Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: Simple Nomad <thegnome () nmrc org>
Date: Tue, 26 Jun 2001 16:46:01 -0400 (EDT)
The limit on the netbios name length must include the ../../../ as a part of the name, so you've blown 9 characters right there to get to the root dir. Otherwise you could get to /etc/crontab or something and the exploit would not require a symlink. So the file can be created remotely, but as for the symlink that requires local access. Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log which points to /etc/passwd, but that still won't work under the Openwall patch (just checked to make sure). - Simple Nomad - "No rest for the Wicca'd" - - thegnome () nmrc org - - - thegnome () razor bindview com - www.nmrc.org razor.bindview.com - On Tue, 26 Jun 2001, Pavol Luptak wrote:
On Tue, Jun 26, 2001 at 09:53:29AM +0300, Jarno Huuskonen wrote:On Mon, Jun 25, Pavol Luptak wrote:Linux kernels with openwall patch (with restricted links in /tmp) are imunne to this type of attack (following symlinks does not work, link owner does not match with file's owner).The symlink restrictions work only in /tmp (mode 1777) directories, so making the symlink in your own homedir still works (should work).Yes, the symlink does not have to be in /tmp, but you have to ensure the path to your symlink in your own homedir is enough short to fill in NetBIOS name (about 15 characters). -- _______________________________________________________________________ [wilder () hq alert sk] [http://hq.alert.sk/~wilder] [talker: ttt.sk 5678]
Current thread:
- smbd remote file creation vulnerability Michal Zalewski (Jun 24)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability Jarno Huuskonen (Jun 26)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 26)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 27)
- Re: smbd remote file creation vulnerability Olaf Kirch (Jun 28)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 28)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Tomek Lipski (Jun 26)
- Re: smbd remote file creation vulnerability Wichert Akkerman (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability Steve Beattie (Jun 28)
- Re: smbd remote file creation vulnerability Phil Stracchino (Jun 28)
- Re: smbd remote file creation vulnerability Joachim Blaabjerg (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability sarnold (Jun 28)