Samba

Bdellium · 19-04-2001 06:07AM #1

Has anyone noticed any problems in Samba
up until version 2.0.8 concerning symlinks
and temporary files.
I did notice the problem a few months ago
but couldn't find any way to exploit it.
Maybe I've overlooked the problem Marcus Meissner
from Caldera development team has found, it isn't neccessarily access violation, more corruption of devices.
A few months ago while logged into my own
smbd I had noticed that the server created
temporary files in /tmp for the command
"more" which used a predictable filename
everytime a new file was requested.I created a symlink file in /tmp with the predictable temporary file name that smbd created.The link was to /etc/shadow.I figured first that if smbd was running as root, it might be possible to grab that file if i created another symlink to the temporary file in my home directory.Although i recieved (Access Denied) when attempting to open the link, Mark has pointed out that it is exploitable, but not given any details.Has anyone else looked into this problem?

ecksor · 19-04-2001 04:12PM

I see there is a message on bugtraq concerning this today from Debian. I've not heard of a working exploit, but samba isn't something I'd be in the habit of watching out for. Are you interested in developing one?

Bdellium · 20-04-2001 06:02PM

I would consider developing one if I knew
exactly what the problem was.I went back
to my smbd again to double check with other
commands like "queue" and "mput"
Although they also create predictable filenames
in /tmp. Everything I tried didn't work, I tried
replacing and grabbing files I had no permission
to but just recieved (Access Denied).Maybe its the version I'm running.
It's 2.0.5a so maybe only certain versions after that are affected.
If anyone looks into it and finds anything out, let us know.

Samba

Comments