-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
First crack at Samba CVE-2017-7494 #8450
Conversation
Coincidentally, I think this resolves #7723. Double win. |
Nice, thanks for fixing the .so templates! |
Synology DS412+ w/ INTEL Atom D2700 on DSM 6.1.1-15101 Update 2 (update 3 is current, will test that in a minute)
|
Scarily consistent output at my end too:
👍 The module leaves the |
same result after going fully up to date on mine (update 3). samba version 4.4.9 for the record |
No dice on armle based WD
I have some more armle devices I can test later and actually debug it without going through an act of congress. Probably won't get around to that until tomorrow evening at best. |
Works right out of the box (no configuration) on Samba 4.1.13 on Ubuntu 15.04 (my exploit dev VM).
I did switch to Meterpreter (Mettle), though. :-) |
Just updated! |
Tested template on an Ubuntu 17.04 chroot on an ARMv7 chromebook, similar results to above. Looks like an .so ABI mismatch:
ii samba 2:4.4.5+dfsg-2ubuntu5.5 armhf SMB/CIFS file, print, and login server for Unix I suspect we need to use EABI for the arm template, which is a lot more common these days than the original OABI spec. Might be nice if metasploit accounted for things like ABI specs, but for now we probably need to just go with most-common denominator. |
I guess we can consider 'armle' in metasploit equivalent to 'armel' and should be either EABI or OABI (still reading on differences). We could perhaps add an ARCH_ARMHF architecture as well for ARMv7+ EABI support. |
Could we add a method to check vulnerable versions ?
Bug Flow
|
@nixawk I don't see why not. Could also verify OS. Here's some spaghetti code using def check
res = smb_fingerprint
os = res['os']
vprint_status("Operating System: #{os}")
if os =~ /Windows/i
vprint_status('Target operating system not supported')
return CheckCode::Safe
end
smb_version = res['native_lm'].scan(/Samba ([\d\.]+)/).flatten.first
vprint_status("Samba version: #{smb_version}")
# 3.x and 4.x branches affected
if smb_version !~ /^[34]\./
return CheckCode::Safe
end
# 3.x branch - versions prior to 3.5.0 are safe
if smb_version =~ /^3\.[0-4]\./
return CheckCode::Safe
end
# 4.x branch - patched in 4.4.14 / 4.5.10 / 4.6.4
if smb_version =~ /^4\./
if smb_version !~ /^4\.([0-3]\.|4\.[0-9]|4\.1[0-3]|5\.[0-9]|6\.[0-3])$/
return CheckCode::Safe
end
end
connect
smb_login
find_writeable_share_path
disconnect
if @share.to_s.eql?('')
vprint_status('Could not find a writeable share')
return CheckCode::Detected
else
vprint_status("Found writeable share: #{@share}")
return CheckCode::Appears
end
CheckCode::Safe
end |
+1 for not working with ARM. Tested with QNAP NAS.
|
Works right 👍 👍
|
|
||
phdrsize equ $ - phdr | ||
dd 2 ; p_type = PT_DYNAMIC | ||
dd 7 ; p_flags = rwx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
p_flags needs to move to after p_memsz (like in the PT_LOAD section)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tested with this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm struggling to get a decent test environment set up. I can test with LD_PRELOAD on Android and Linux debian-armel 3.2.0-4-versatile #1 Debian 3.2.51-1 armv5tejl GNU/Linux
. Neither are working for me (even after this change).
for centos6.5 it's not success |
Osx uses smbx which supposedly happened to avoid smb3(gplv3). Worth a test though. |
Thanks folks! Sounds like we need to:
Additionally, Mr. Tavis Ormandy suggested a nice way to exploit this without knowing the path using two connections and /proc/self/cwd, which I will try to implement in the near future (this PR if its languishing or the next one). I would love some help for ARMLE, MIPS, and OS X (for .so templates). |
@hiw0rld do you have a stack trace? I don't see |
Dear spectators - a pull request is a work-in-progress. If you do not know how to debug problems, pull code into your branch, or to expect some rough edges, then please abstain from commenting until this pull request has been merged. Otherwise it becomes noise that simply slows down progress. Thanks! |
FYI, if you implement vulnerability checking please keep in mind that at least some versions of Samba include For example, on Kali with Samba 4.5.6 installed:
Looks like this was changed from |
Ran it against Synology Disk Station DS212j and got
|
synology nas DS1815+ vulnerable as well! |
I'm getting the following error when running the exploit against:
With samba version:
Exploits dies after getting a RST in response to Tree Disconnect after uploading the test .txt file. my smb.conf lines for the shares are as follows:
Thanks to @hdm for inadvertently fixing my msfvenom bug too! |
@hdm how close would you say this is to done? Would it be reasonable to land this in its current state and continue dev in a new PR? |
I'm ready to ship this. It works quite well. |
@egypt This should be good to go for now, I added the BruteforcePID advanced option for folks who want to test, but its disabled by default. The code now also autodeletes the payload from the share. |
Should we disable the ARM target or forcibly set 'SHELL' on the payload option? |
@QasimChadhar That happens when Guest is 'disabled' |
@reznok Double check to make sure the patch wasn't automatically installed |
The PR for the docs is ready to land before this is landed. It's good enough for the time being |
docs for is_known_pipename
@bcoles I dont use any stack trace you mean client or samba server? |
Maybe time to lock this PR for future comments? |
Agreed. This is not a support forum, folks. Take it to IRC or the Rapid7 Community site. File a ticket if it's a bug. |
Release NotesThe exploits/linux/samba/is_known_pipename module has been added to the framework. This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library. The exploit requires valid credentials, a writeable folder in an accessible share, and the server-side path of the writeable folder. However, in some cases anonymous access with common filesystem locations can be used to automate exploitation. |
^ no longer true with the current PR. |
May need to update the docs and info section (or just the docs). I have a note to review and update the MD tomorrow to update |
This PR contains a module for the Samba arbitrary module loading vulnerability. It also includes support for x86 and ARMLE elf-so template formats. This has been extensively tested against an up to date Synology NAS and an Ubuntu 16.04 LTS x86_64 image. It needs testing against Linux ARMLE and Linux x86.
The default target is currently set to 2 (x86_64). Make sure to change this when testing other platforms.
Synology:
Ubuntu 16.04:
The stuff left on my TODO for this (via additional PR if needed):
It would be really neat if this could just cycle all possible architectures once it figured out a writeable path. If the module has trouble finding a writable path, you can specify it manually via
SMB_SHARE_NAME
,SMB_FOLDER
, andSMB_SHARE_BASE
.