Samba - Remote code execution from a writable share

2017.07.25
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Creditos: Informacion - Anonymous Fecha: 25/07/2017 Sitio de prueba SMB: -- https://rlworkman.net/conf/misc/smb.conf -Poff: -- [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2 workgroup = rlwhome # server string is the equivalent of the NT Description field server string = UNIX netbios name = isotope # Security mode. Defines in which mode Samba will operate. Possible # values are share, user, server, domain and ads. Most people will want # user level security. See the HOWTO Collection for details. security = user # Username map. Location of the file that defines server/client # username mapping. This section created by RW username map = /etc/samba/users.map # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.13. 127. # If you want to automatically load your printer list rather # than setting them up individually then you'll need this load printers = yes # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user "nobody" is used ; guest account = nobody # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. ; passdb backend = tdbsam # Most people will find that this option gives better performance. # See the chapter 'Samba performance issues' in the Samba HOWTO Collection # and the manual pages for details. # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # Configure Samba to use multiple interfaces # If you have multiple network interfaces then you must list them # here. See the man page for details. interfaces = 192.168.13.11 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable ; os level = 33 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job ; domain master = yes # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election preferred master = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The default is NO. dns proxy = yes #============================ Share Definitions ============================== [otherfiles] path = /otherfiles browseable = yes public = no writable = yes printable = no create mask = 0660 directory mask = 0770 force create mode = 0660 force directory mode = 0770 inherit permissions = yes valid users = marla rworkman force group = otherfiles [media] path = /otherfiles/multimedia browseable = yes public = no writable = no printable = no valid users = nobody

References:

https://www.facebook.com/Informacion-Anonymous-611394289006994/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top