TUCoPS :: Unix :: General
:: samba7.htm
Samba weak password crypt, DoS, etc.
Vulnerability
swat
Affected
Samba 2.0.7
Description
'Optyx' found following. The program swat included in the samba
distribution allows username and password bruteforcing. An
attacker can easily generate userlists and then bruteforce their
passwords. Comments in the source code show that somebody tried
to prevent this from happening.
The problem occurs when a user types in the wrong password. If
swat gets a valid username, but incorrect password it errors with:
2second pause
401 Authorization Required
You must be authenticated to use this service.
If swat gets a invalid username / password:
NO PAUSE
401 Bad Authorization
username/password must be supplied
The following code is written by t12. It will generate a list of
valid usernames and then brute force passwords for those
usernames. It has been tested on FreeBSD:
http://www.uberhax0r.net/~miah/swat/code/flyswatter.c
Obviously, if the username/password are correct you get logged in.
What makes this even worse is that swat does no logging. However;
if logging is enabled a temp race exists. Swat does not check for
file existence before hand and it overwrites the file without
regret. What makes this even worse is swat will log *any* input
it gets into this log file. So for example we have local shell
on a system running swat but want root we simply:
ln -s /tmp/cgi.log /etc/passwd
telnet localhost 901
--enter the following--
rootuser::0:0::/:/bin/bash
--hang up the connection--
We now have the following entry in our /etc/passwd file:
[Date: 2000年10月23日 16:03:13 GMT localhost.localdomain (127.0.0.1)] rootuser::0:0::/:/bin/bash
You could also use this shell script
http://www.uberhax0r.net/~miah/swat/code/swat-exp.sh
or if you want it in C
http://www.uberhax0r.net/~miah/swat/code/swat-exp.c
also precompiled for linux
http://www.uberhax0r.net/~miah/swat/code/swat-exp.linux
You can also download a fixed cgi.c
http://www.uberhax0r.net/~miah/swat/code/cgi.c.fixed
(make your own damned diff). You can now su to that user. *NOTE*
this will destroy the passwd file. Now you might be thinking
"but if the /tmp/cgi.log exists, how can a user overwrite it with
a symlink?". The answer: Why bother! The cgi.log file contains
everything the users webbrowser sent back to it including their
login/password.
The Authorization: Basic entries have username:password encoded in
base64 in them. Most of the time the swat administrator will
login as root to do the changes to the smb.conf, so getting root
is easy. You can run the gimme-login.sh script to get a list of
logins from the cgi.log.
Swat is also vulnerable to a DoS attack. Anybody can perform
this. Simply login to swat with a improper username and password,
but change the default url from "hostname:901" to somthing like
"hostname:901?somerandomfile". Swat will error with
"Authentication Required"(even with valid accounts) and inetd
will restart it. Using netscape, netscape will retry to get the
file and will eventually cause the inetd daemon to shutdown swat
for 10 minutes (dependent on inetd configuration, this is tested
on linux redhat 6.2).
Solution
These reported problems have been corrected in the latest version
of our HEAD branch code and will be in the next release of Samba
(2.2.0 - currently in alpha release stages).