Re: [Full-disclosure] Samba Remote Zero-Day Exploit



Michael Wojcik wrote:

From: Stefan Kanthak [mailto:stefan.kanthak@xxxxxxxx]
Sent: Monday, 08 February, 2010 16:33

Michael Wojcik wrote:

From: Stefan Kanthak [mailto:stefan.kanthak@xxxxxxxx]
Sent: Saturday, 06 February, 2010 08:21

Since Windows 2000 NTFS supports "junctions", which pretty much
resemble Unix symlinks, but only for directories.
See <http://support.microsoft.com/kb/205524/en-us>

And at least since Vista, it also supports symlinks, which are
designed

s/at least//
[ well-known facts snipped ]

So ... your original note about junctions did not cover "well-known
~~~~~~~~~~~~~
facts", but my note about other reparse point types did?

It's best practice (see http://www.ietf.org/rfc/rfc1855.txt) not to
include unreferenced parts of the message to be answered. There's no
need to repeat undisputed and undoubtly correct facts.

The Windows SMB server apparently won't cross reparse points,
though,
so there's no equivalent vulnerability.

NO, Windows SMB server crosses reparse points!

Not in my testing, at least not for junctions and symlinks.

I'm using junctions on Windows 2000/XP/2003 at least since 2002, and
of course they are traversed on shares too!

User with
requisite authority could traverse the junctions and symlinks locally,
but not remotely via a share.

Test again!

But as Dan Kaminsky pointed out, you need to have administrative
rights
to remotely create a junction on an SMB share, so the non-admin user
cant get himself access to files outside a share he's allowed to
access.

Unless the reparse point already exists.

Of course, but that's not the question here.

This particular exploit happened to involve a remote user creating a
symlink.

Correct. But to accomplish that, the "unix extensions" need to be
enabled in the first place.

That doesn't mean there are no other imaginable vulnerabilities
stemming from filesystem objects that violate the notional tree
structure of the directory hierarchy.

The obvious one: someone shares a branch of the directory tree in the
belief that clients only have access to that part of the tree, but the
tree already contains a convenience symlink (Unix) or reparse point
(Windows) that points elsewhere in the hierarchy. That's one reason why
Samba has had the "wide links=no" option since, what, the mid-1990s.

I'm using Samba since 1993 and know that quite well.
You surely can find my name in some places in the docs and other files
of the distribution too.-)

Stefan

PS: would you mind to setup your Exchange Server correctly? It rebreaks
cited lines and destroys correct the quoting.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Amazon used lisp & C exclusively?
    ... > no real value and implying Unix only needed them because of broken software. ... Just code up a reparse point, and don't restrict it to symlinks for directories, and you're golden. ... And of course Windows also has the distributed link tracking, so if you have a symlink that someone moves the target of, you can get the symlinks fixed automatically, even if the target is on a network drive and you're offline at the time. ... There's all kinds of stuff that Windows does that Linux et al don't, and symlinks to files are the only thing in the file system I hear about Linux doing that Windows doesn't. ...
    (comp.lang.lisp)
  • Re: Amazon used lisp & C exclusively?
    ... So the package seems to check for the existance of a symlink. ... Note that this technique would work equally well under Windows, since Windows has symlinks to directories. ... reuired because of broken unix programs. ... And if Windows does such things a different way, that doesn't mean Windows is broken because it's missing symlinks. ...
    (comp.lang.lisp)
  • RE: Samba Remote Zero-Day Exploit
    ... Since Windows 2000 NTFS supports "junctions", ... And at least since Vista, it also supports symlinks, which are ... Windows SMB server crosses reparse points! ... someone shares a branch of the directory tree in the ...
    (Bugtraq)
  • Re: [Full-disclosure] Samba Remote Zero-Day Exploit
    ... Since Windows 2000 NTFS supports "junctions", ... And at least since Vista, it also supports symlinks, which are ... Windows SMB server crosses reparse points! ... someone shares a branch of the directory tree in the ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Samba Remote Zero-Day Exploit
    ... Traversing symlinks on the server/share, ... Since Windows 2000 NTFS supports "junctions", ... symlinks are implemented with NTFS reparse points, ...
    (Full-Disclosure)