Script smb-vuln-cve-2017-7494

Script types: hostrule
Categories: vuln, intrusive
Download: https://svn.nmap.org/nmap/scripts/smb-vuln-cve-2017-7494.nse

Script Summary

Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494.

Unpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

The script does not scan the version numbers by default as the patches released for the mainstream Linux distributions do not change the version numbers.

The script checks the preconditions for the exploit to happen:

1) If the argument check-version is applied, the script will ONLY check services running potentially vulnerable versions of Samba, and run the exploit against those services. This is useful if you wish to scan a group of hosts quickly for the vulnerability based on the version number. However, because of their version number, some patched versions may still show up as likely vulnerable. Here, we use smb.get_os(host) to do versioning of the Samba version and compare it to see if it is a known vulnerable version of Samba. Note that this check is not conclusive: See 2,3,4

2) Whether there exists writable shares for the execution of the script. We must be able to write to a file to the share for the exploit to take place. We hence enumerate the shares using smb.share_find_writable(host) which returns the main_name, main_path and a list of writable shares.

3) Whether the workaround (disabling of named pipes) was applied. When "nt pipe support = no" is configured on the host, the service would not be exploitable. Hence, we check whether this is configured on the host using smb.share_get_details(host, 'IPC$'). The error returned would be "NT_STATUS_ACCESS_DENIED" if the workaround is applied.

4) Whether we can invoke the payloads from the shares. Using payloads from Metasploit, we upload the library files to the writable share obtained from 2). We then make a named pipe request using NT_CREATE_ANDX_REQUEST to the actual local filepath and if the payload executes, the status return will be false. Note that only Linux_x86 and Linux_x64 payloads are tested in this script.

This script is based on the metasploit module written by hdm.

References:

Script Arguments

smb-vuln-cve-2017-7494.check-version

Check only the version numbers the target's Samba service. Default: false

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

  • nmap --script smb-vuln-cve-2017-7494 -p 445 <target>
  • nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 <target>

Script Output

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:16:04:53 (VMware)

| smb-vuln-cve-2017-7494:
|   VULNERABLE:
|   SAMBA Remote Code Execution from Writable Share
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-7494
|     Risk factor: HIGH  CVSSv3: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
|       All versions of Samba from 3.5.0 onwards are vulnerable to a remote
|       code execution vulnerability, allowing a malicious client to upload a
|       shared library to a writable share, and then cause the server to load
|       and execute it.
|
|     Disclosure date: 2017-05-24
|     Check results:
|       Samba Version: 4.3.9-Ubuntu
|       Writable share found.
|        Name: \\192.168.15.131\test
|       Exploitation of CVE-2017-7494 succeeded!
|     Extra information:
|       All writable shares:
|        Name: \\192.168.15.131\test
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494
|_      https://www.samba.org/samba/security/CVE-2017-7494.html

Requires


Author:

  • Wong Wai Tuck

License: Same as Nmap--See https://nmap.org/book/man-legal.html