SAMBAry save us!!

Remember linux users laughing at Windows users because of the now all too famous Wannacry? Karma.

According to Samba, “All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” Might appear not to be serious,but a quick look at our beloved Shodan we see roughly half a million companies with publicly exposed samba (shares.) – not to say all are exploitable but narrowing down and just by viewing the versions, more than half are!!!

shodan_

Exploitation:

Various exploits have been released, I explored the exploit by HD Moore and it works pretty well; At the time of writing it had not been ported to metasploit, port it manually as below, fire up msf.

exploit msf_

msf exploit_

We would all appreciate a Check module in the msf exploit, since it is not there, I decided to do a manual grep – tedious if you a have a large estate to check but better safe than sorry.

 

How to check:

Download either of these files, which show open ports 139 and 445 for public IPs globally as at May 24th and search for your IP of interest :-)..am sure programmers have an easier way?

grep_

 

Remediation:

As usual PATCH! Samba have already released a patch for versions 4.4 onwards. There are workarounds for the other versions, though they could break functionality – the workaround is to add the parameter “nt pipe support = no” to the smb.conf global section and restart smbd service.

 

On a light note 😀

WhatsApp Image 2017-05-26 at 7.33.22 AM

Post title inspired by Remy Zero’s Save me

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s