Bugtraq mailing list archives
Re: smbd remote file creation vulnerability
From: Olaf Kirch <okir () caldera de>
Date: Thu, 28 Jun 2001 12:19:32 +0200
On Tue, Jun 26, 2001 at 04:46:01PM -0400, Simple Nomad wrote:
The limit on the netbios name length must include the ../../../ as a part of the name, so you've blown 9 characters right there to get to the root dir. Otherwise you could get to /etc/crontab or something and the exploit would not require a symlink. So the file can be created remotely, but as for the symlink that requires local access.
Don't rely too much on the length limit. You may not have to go all the way to the root. For instance, several platforms I've seen have /var/tmp. Often, there are also /var/log/foobar directories owned by some special foobar user - break that account first then hop on and become root.
Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log which points to /etc/passwd, but that still won't work under the Openwall patch (just checked to make sure).
Does that patch keep an attacker from doing the following? mkdir /tmp/x ln -s /etc/passwd /tmp/x/.log and sending a packet with a netbios name of ../../../tmp/x/ (which is 15 chars exactly)? Or does it keep the attacker from doing this: ln /etc/passwd /tmp/x.log (note the absence of -s). Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- smbd remote file creation vulnerability Michal Zalewski (Jun 24)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability Jarno Huuskonen (Jun 26)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 26)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 27)
- Re: smbd remote file creation vulnerability Olaf Kirch (Jun 28)
- Re: smbd remote file creation vulnerability Simple Nomad (Jun 28)
- Re: smbd remote file creation vulnerability Pavol Luptak (Jun 25)
- Re: smbd remote file creation vulnerability maniac (Jun 25)
- Re: smbd remote file creation vulnerability Tomek Lipski (Jun 26)
- Re: smbd remote file creation vulnerability Wichert Akkerman (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability Steve Beattie (Jun 28)
- Re: smbd remote file creation vulnerability Phil Stracchino (Jun 28)
- Re: smbd remote file creation vulnerability Joachim Blaabjerg (Jun 27)
- Re: smbd remote file creation vulnerability Michal Zalewski (Jun 28)
- Re: smbd remote file creation vulnerability sarnold (Jun 28)