Michael Wojcik wrote: >> From: Stefan Kanthak [mailto:[email protected]] >> Sent: Monday, 08 February, 2010 16:33 >> >> Michael Wojcik wrote: >> >> >> From: Stefan Kanthak [mailto:[email protected]] >> >> Sent: Saturday, 06 February, 2010 08:21 >> >> >> >> Since Windows 2000 NTFS supports "junctions", which pretty much >> >> resemble Unix symlinks, but only for directories. >> >> See <http://support.microsoft.com/kb/205524/en-us> >> > >> > And at least since Vista, it also supports symlinks, which are >> > designed >> >> s/at least// >> [ well-known facts snipped ] > > So ... your original note about junctions did not cover "well-known ~~~~~~~~~~~~~ > facts", but my note about other reparse point types did?
It's best practice (see http://www.ietf.org/rfc/rfc1855.txt) not to include unreferenced parts of the message to be answered. There's no need to repeat undisputed and undoubtly correct facts. >> > The Windows SMB server apparently won't cross reparse points, >though, >> > so there's no equivalent vulnerability. >> >> NO, Windows SMB server crosses reparse points! > > Not in my testing, at least not for junctions and symlinks. I'm using junctions on Windows 2000/XP/2003 at least since 2002, and of course they are traversed on shares too! > User with > requisite authority could traverse the junctions and symlinks locally, > but not remotely via a share. Test again! >> But as Dan Kaminsky pointed out, you need to have administrative >rights >> to remotely create a junction on an SMB share, so the non-admin user >> cant get himself access to files outside a share he's allowed to >> access. > > Unless the reparse point already exists. Of course, but that's not the question here. > This particular exploit happened to involve a remote user creating a > symlink. Correct. But to accomplish that, the "unix extensions" need to be enabled in the first place. > That doesn't mean there are no other imaginable vulnerabilities > stemming from filesystem objects that violate the notional tree > structure of the directory hierarchy. > > The obvious one: someone shares a branch of the directory tree in the > belief that clients only have access to that part of the tree, but the > tree already contains a convenience symlink (Unix) or reparse point > (Windows) that points elsewhere in the hierarchy. That's one reason why > Samba has had the "wide links=no" option since, what, the mid-1990s. I'm using Samba since 1993 and know that quite well. You surely can find my name in some places in the docs and other files of the distribution too.-) Stefan PS: would you mind to setup your Exchange Server correctly? It rebreaks cited lines and destroys correct the quoting. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
