Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: sarnold () wirex com
Date: Wed, 27 Jun 2001 17:12:47 -0700
On Tue, Jun 26, 2001 at 11:08:04AM +0200, Joachim Blaabjerg wrote:
Appending to /etc/passwd has nothing to do with pam.No, not directly, but if your `su` uses PAM to authenticate users and PAM reacts to the spaces in the beginning of the passwd file, it surely has something to do with PAM. To check whether `su` uses PAM or not, try "ldd `which su`|grep libpam"
The fun thing, of course, is that it doesn't matter about the specifics of how 'su' reacts when presented with this situation. This just happened to be a very simple and provocative exploit. The attacked target doesn't have to be /etc/passwd. This exploit could be re-written trivially to use other files -- think 'cron', /root/.bash_profile, /etc/bashrc, /etc/Muttrc, etc. All with at least one, probably more, lines under control of an attacker. Regardless of how anyone's 'su' reacts, upgrading samba to a fixed version is very important. Seth Arnold
Current thread:
- Re: smbd remote file creation vulnerability, (continued)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 27)
- Re: smbd remote file creation vulnerability Olaf Kirch (Jun 28)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 28)
- Re: smbd remote file creation vulnerability Tomek Lipski (Jun 26)
- Re: smbd remote file creation vulnerability Wichert Akkerman (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability Steve Beattie (Jun 28)
- Re: smbd remote file creation vulnerability Phil Stracchino (Jun 28)
- Re: smbd remote file creation vulnerability Joachim Blaabjerg (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability sarnold (Jun 28)
- Re: smbd remote file creation vulnerability Joseph Nicholas Yarbrough (Jun 26)