Re: [Full-disclosure] Samba Remote Zero-Day Exploit

Les derniers commentaires publiés sur SecuObs (1-5):

- Skype - URI Handler Input Validation - OWASP CSRFTester Test Applications for CSRF - ESRT @MarioVilas @DidierStevens - Added shellcode to Tweet to my library - ESRT @ThisIsHNN @th3j35t3r - releases 2nd video of enhanced XerXeS attack - i - plecost v0.2.2-7 Beta Update Les derniers commentaires publiés sur SecuObs (6-25) Tous les commentaires publiés sur SecuObs avant les 5 derniers

[Message Precedent sur la mailing][Message Suivant sur la mailing][Precedent dans le fil][Prochain dans le fil][Index par Date][Index par fil] Re: [Full-disclosure] Samba Remote Zero-Day Exploit

You need admin rights to create junctions. At that point, path constraints aren't relevant, just psexec and get not only arbitrary path but arbitrary code.

The fix is to do what everybody with a directory traversal bug has to do, block out of path relative directories. In this specific case, prevent the creation of symlinks where the target is out of the SMB share's range. (Still allow navigation to such symlinks if one exists, though.) On Feb 6, 2010, at 8:21 AM, "Stefan Kanthak" <stefan.kanthak@xxxxxxxx> wrote: > Dan Kaminsky wrote: > > [...] > >> (On a side note, you're not going to see this sort of symlink stuff >> on >> Windows, > > What exactly do you mean? > Traversing symlinks on the server/share, or creation of "wide" > symlinks > by the client on the server/share? > > Since Windows 2000 NTFS supports "junctions", which pretty much > resemble > Unix symlinks, but only for directories.

> See <link://[click]> > > On the server, create a junction in your share and let it point to an > arbitrary local directory outside the share, and clients connected to > that share can enter the junction and access the "linked" directory.

> > If you have write access to the share from the client you can create > a "wide" junction there too, just as the OP showed with smbclient/ > samba.

> >> and Samba is supposed to match Windows semantics in general.

> > Except a mapping of directory symlinks to junctions for example.-( > > Stefan > Full-Disclosure - We believe in it.

Charter: link://[click] Hosted and sponsored by Secunia - link://[click]

Suivi:
- Re: [Full-disclosure] Samba Remote Zero-Day Exploit

References:

Precedent par Date: Re: [Full-disclosure] Samba Remote Zero-Day Exploit
Suivant par Date: [Full-disclosure] Samba Remote Zero-Day Exploit
Precedent par fil : Re: [Full-disclosure] Samba Remote Zero-Day Exploit
Suivant par fil : Re: [Full-disclosure] Samba Remote Zero-Day Exploit
Index(s):
- Date
- Fil

Archives de la liste de diffusion Secunia
Archives de la liste de diffusion BugTraq
Archives de la liste de diffusion DailyDave
Archives de la liste de diffusion FunSec
Archives de la liste de diffusion Full Disclosure
Archives de la liste de diffusion Focus-IDS (FD)
Archives de la liste de diffusion Webappsec (FD)
Archives de la liste de diffusion Security-basics (FD)
Archives de la liste de diffusion Vulndiscuss
Archives de la liste de diffusion Vulnwatch

Les derniers commentaires publiés sur SecuObs (6-25):

- cookiemonster v1.6 - Automatic Reverse Engineering of Data Structures from Binary Execution - Samhain v2.6.3 Beltane v2.3.19 released - Social-Engineering Ninja v0.1 Beta - PHP scripts - Botan 1.9.4 - The Beginning of the End of Data Retention - A Notepad PoC for the remote CHM help file hijack MS vulnerability - What's New in Chanalyzer 34 - gnupg 2.0.15 - fwbuilder 4.0.0 - ESRT @sbrabez - w3af 10-rc2 updated on FreeBSD - ESRT @MarioVilas - gnupgpy is a Python API which wraps the GNU Privacy Guard - ESRT @mosesrenegade @JoelEsler - How to make Snort Attribute tables using Nma - ESRT @Trancer00t - Metasploit exploit module for the new MSIE 0day vuln - ESRT @ToolsWatch - FireCAT v1.6.2 updated with 4 Firebug add-ons - ESRT @komeilipour - Discoverer: Automatic Protocol Reverse Engineering from N - BeEF Key Logging - SubSeven v2.3.2010 released - OpenSCAP v0.5.7 released - Building a Linux Incident Response Forensic Disk Les cinq derniers commentaires publiés sur SecuObs Tous les commentaires publiés sur SecuObs avant les 25 derniers

SecuToolBox :

Bluetooth Stack Smasher v0.6 / Bluetooth Stack Smasher v0.8 / Slides Bluetooth Eurosec 2006 / Exposé vidéo Windows Shellcode - Kostya Kortchinsky / Exposé audio Reverse Engineering - Nicolas Brulez / Exposé vidéo Securitech - Pierre Betouin / WEP aircrack + Ubiquiti (MadWifi) 300 mW + Yagi / Secure WIFI WPA + EAP-TLS + Freeradius / Audit Windows / Captive Password Windows / USBDumper / USBDumper 2 / Hacking Hardware / WishMaster backdoor / DNS Auditing Tool / Ettercap SSL MITM / Exploit vulnérabilités Windows / Memory Dumper Kernel Hardening / Reverse Engineering / Scapy / SecUbuLIVE CD / Metasploit / eEye Blink Sec Center / eEye Retina Scanner + d'outils / + de tutoriels

Mini-Tagwall des articles publiés sur SecuObs :

sécurité, exploit, windows, microsoft, réseau, attaque, outil, vulnérabilité, audit, système, virus, internet, données, présentation, linux, metasploit, bluetooth, protocol, vista, réseaux, shell, scanner, engineering, rootkit, wishmaster, trames, conférence, source, paquet, téléphone, mobile, sysun, noyau, rapport, botnet, téléphones, mémoire, https, navigateur, intel, patch, reverse, libre, scapy, securitech + de mots clés avec l'annuaire des articles publiés sur SecuObs

Archives Failles Secunia :

- SA38868 Debian update for tdiary - SA38890 NUs Newssystem id SQL Injection Vulnerability - SA38876 Fedora update for samba - SA38912 Kandidat CMS contentcenter Cross-Site Scripting Vulnerability - SA38893 Jevci Siparis Formu Database Disclosure Security Issue + d'archives failles avec Secunia et SecuMail

Archives Mailing Full Disclosure :

- Full-disclosure Claude Mercier/CLSC-CHSLD BVLV/Reg03/SSSS est absent(e). - Full-disclosure ZDI-10-027: Skype Protocol Handler datapath Argument Injection Remote Code Execution Vulnerability - Full-disclosure ZDI-10-028: Skype URI Processing Arbitrary XML File Deletion Vulnerability - Re: Full-disclosure credit union phishing scam - Re: Full-disclosure credit union phishing scam + d'archives Full Disclosure avec SecuMail

Archives Mailing Bugtraq :

- USN-909-1 dpkg vulnerability - Skype URI Handler Input Validation - MDVSA-2010:060 squid - Vulnerabilities in Abton - Multiple vulnerabilities in SUPERAntiSpyware and Super Ad Blocker - SECURITY DSA 2011-1 New dpkg packages fix path traversal + d'archives Bugtraq avec SecuMail

Mini-Tagwall de l'annuaire video :

vmware, security, virus, biometric, windows, lockpicking, password, botnet, metasploit, tutorial, attack, crypt, linux, network, iphone, server, exploit, wimax, conficker, virtu, virtual, engineering, cisco, reverse, ettercap, wireshark, shmoocon, hacker, firewall, internet, knoppix, rootkit, arduino, conference, source, wireless, backtrack, openbsd, brucon, systm, overflow, openssh, buffer, access, remote + de mots clés avec l'annuaire des videos

Mini-Tagwall des articles de la revue de presse :

security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité + de mots clés avec l'annuaire de la revue de presse

Mini-Tagwall des Tweets de la revue Twitter :

security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack + de mots clés avec l'annuaire de la revue Twitter