Vulnerability

    swat

Affected

    Samba 2.0.7

Description

    'Optyx' found following.  The  program swat included in the  samba
    distribution  allows  username  and  password  bruteforcing.    An
    attacker can easily generate  userlists and then bruteforce  their
    passwords.  Comments in the  source code show that somebody  tried
    to prevent this from happening.

    The problem occurs when  a user types in  the wrong password.   If
    swat gets a valid username, but incorrect password it errors with:

        2second pause
        
        401 Authorization Required
        
        You must be authenticated to use this service.

    If swat gets a invalid username / password:

        NO PAUSE
        
        401 Bad Authorization
        
        username/password must be supplied

    The following code is written by t12.  It will generate a list  of
    valid  usernames  and  then   brute  force  passwords  for   those
    usernames.  It has been tested on FreeBSD:

        http://www.uberhax0r.net/~miah/swat/code/flyswatter.c

    Obviously, if the username/password are correct you get logged in.

    What makes this even worse is that swat does no logging.  However;
    if logging is enabled a temp race exists.  Swat does not check for
    file  existence  before  hand  and  it overwrites the file without
    regret.  What makes this even  worse is swat will log *any*  input
    it gets into this  log file.  So  for example we have  local shell
    on a system running swat but want root we simply:

        ln -s /tmp/cgi.log /etc/passwd
        
        telnet localhost 901
        --enter the following--
        rootuser::0:0::/:/bin/bash
        --hang up the connection--

    We now have the following entry in our /etc/passwd file:

        [Date: Mon, 23 Oct 2000 16:03:13 GMT localhost.localdomain (127.0.0.1)] rootuser::0:0::/:/bin/bash

    You could also use this shell script

        http://www.uberhax0r.net/~miah/swat/code/swat-exp.sh

    or if you want it in C

        http://www.uberhax0r.net/~miah/swat/code/swat-exp.c

    also precompiled for linux

        http://www.uberhax0r.net/~miah/swat/code/swat-exp.linux

    You can also download a fixed cgi.c

        http://www.uberhax0r.net/~miah/swat/code/cgi.c.fixed

    (make your own damned diff).  You can now su to that user.  *NOTE*
    this will  destroy the  passwd file.   Now you  might be  thinking
    "but if the /tmp/cgi.log exists, how can a user overwrite it  with
    a symlink?".  The answer:  Why bother!  The cgi.log  file contains
    everything the users  webbrowser sent back  to it including  their
    login/password.

    The Authorization: Basic entries have username:password encoded in
    base64 in  them.   Most of  the time  the swat  administrator will
    login as root to do the  changes to the smb.conf, so getting  root
    is easy.  You can run  the gimme-login.sh script to get a  list of
    logins from the cgi.log.

    Swat is  also vulnerable  to a  DoS attack.   Anybody can  perform
    this.  Simply login to swat with a improper username and password,
    but change the  default url from  "hostname:901" to somthing  like
    "hostname:901?somerandomfile".       Swat    will    error    with
    "Authentication  Required"(even  with  valid  accounts)  and inetd
    will restart it.  Using  netscape, netscape will retry to  get the
    file and will eventually cause  the inetd daemon to shutdown  swat
    for 10 minutes (dependent  on inetd configuration, this  is tested
    on linux redhat 6.2).

Solution

    These reported problems have been corrected in the latest  version
    of our HEAD branch code and  will be in the next release  of Samba
    (2.2.0 - currently in alpha release stages).