Bugtraq mailing list archives
Re: Samba 3.x + kernel 2.6.x local root vulnerability
From: Guille -bisho- <bisho () onirica com>
Date: Tue, 10 Feb 2004 14:31:42 +0100
You all still don't understand the problem. I have setuid smbmnt on the client side and one remote with smb share, I own. I create setuid binary on the share, and MOUNT THE SHARE under regular user with uid!=0. Then run that binary and gain root privileges. Is it clear? This is not the issue with the remote server. It's just the 'tool' to misuse.
Ok. I understand now :) (And I'm able to reproduce it). It works only on kernel 2.6. Doing the same in a 2.4 kernel results in the share mounted with the correct uid,gid and masks: smbmount //machine/share /tmp/foo -o username=test,fmask=1755,dmask=755,uid=0,gid=0,debug=0,workgroup=test Even trying to set uid=0 and gid=0 and the fmask to 1755 the share is mounted in a safe way, without setuids bins and set with the user uid. The kernel 2.6 does not honour the uid/gid and mounts the share with the original uids and permisions, whatever the masks is set at mounting. -- _ Guillermo Pérez -=] 10/02/2004 [=- <·) - bisho@ ( onirica.com | eurielec.etsit.upm.es ) ( \> bisho! ""\\ :: Software Patents will kill Open Source :: ..........:: EuropeSwPatentFree: :: :: http://europeswpatentfree.hispalinux.es/ ::
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Samba 3.x + kernel 2.6.x local root vulnerability Michal Medvecky (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Michael Kjorling (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Seth Arnold (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Patrick J. Volkerding (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Frank Louwers (Feb 11)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Urban Widmark (Feb 12)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Darren Reed (Feb 13)
- Message not available
- Message not available
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Guille -bisho- (Feb 10)
- Message not available
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Felipe Franciosi (Feb 11)
- <Possible follow-ups>
- RE: Samba 3.x + kernel 2.6.x local root vulnerability John . Airey (Feb 11)