Samba - Remote code execution from a writable share

Published
Credit
Risk
2017.07.25
Informacion - Anonymous
High
CWE
CVE
Local
Remote
N/A
CVE-2017-7494
No
Yes
Dork: inurl:”smb.conf” intext:”workgroup” filetype:conf conf

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

Creditos: Informacion - Anonymous
Fecha: 25/07/2017
Sitio de prueba SMB:
-- https://rlworkman.net/conf/misc/smb.conf

-Poff:
-- [global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
workgroup = rlwhome

# server string is the equivalent of the NT Description field
server string = UNIX
netbios name = isotope

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the HOWTO Collection for details.
security = user

# Username map. Location of the file that defines server/client
# username mapping. This section created by RW
username map = /etc/samba/users.map

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
hosts allow = 192.168.13. 127.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = nobody

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba.%m

# Put a capping on the size of the log files (in Kb).
max log size = 50

# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
interfaces = 192.168.13.11

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = yes

#============================ Share Definitions ==============================

[otherfiles]
path = /otherfiles
browseable = yes
public = no
writable = yes
printable = no
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
inherit permissions = yes
valid users = marla rworkman
force group = otherfiles

[media]
path = /otherfiles/multimedia
browseable = yes
public = no
writable = no
printable = no
valid users = nobody

References:

https://www.facebook.com/Informacion-Anonymous-611394289006994/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com