Unfiltered Network Share Names Allows Arbitrary Command Execution & Arbitrary File Write #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There is a vulnerability in SMBList.pl which allows an attacker (e.g. server administrator) to execute arbitrary commands on the system on which the script was executed.
Attack path 1:
1. Create a share which contains ' in the name in order to break out of the string in SMBList.pl line 121
my $smbclient_cmd = `timeout $inputMaxExec smbclient -N -A '$tempAuthFile' '$share' -c 'recurse;dir' 2>&1 > temporary_running_file.txt`;
Run SMBHunt.pl and something like the following will be returned:
\\172.11.132.1\Data' -c 'exit';touch /tmp/oops;echo 'oops
Run SMBList.pl, a file (/tmp/oops) is now created. This can of course be changed to any command.
Fix: escape $share, such as via:
$share =~ s/'/'\''/g;
Attack path 2:
After indexing a fileshare, the name of the fileshare is used within perl's open() function. This may lead to an issue if
Fix:
replace / with -