SambaCry

From Embedded Lab Vienna for IoT & Security
Revision as of 14:22, 11 February 2025 by NKirnbauer (talk | contribs)
Jump to navigation Jump to search

Summary

SambaCry is a vulnerability that is also known as CVE-2017-7494 and was discovered in the Samba Software in 2017.

It allows a remote attacker to execute arbitrary code on a vulnerable server.

This works because a malicious client can upload a shared library to a writable share, and then cause the server to load and execute it.

What is Samba?

Samba is an open-source implementation of the SMB/CIFS protocol, allowing file and print sharing between systems running Unix/Linux and Windows.

Which systems are vulnerable?

All that run a version of Samba from 3.5.0 onwards are vulnerable to this remote code execution vulnerability.


Exploitation

Requirements

  • Attacker machine (eg. Kali Linux) with Metasploit
  • Vulnerable machine (eg. with Metasploitable)


Step 1

Setup of machines.

For the victim machine I downloaded Metasploitable 2 from this webpage: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

For the actacer machine I used Kali Linux

Step 2

First up we need to find the vulnerable machine in network, so that we know which ip to attack.

We can do this be simply issuing the ip a command on the victims machine:


Samba1.png


But in a real scenario you haven´t access to the machine. Thats why we normally scan all machines on the network to determine which IP address we are interested in. To do this, we perform a network scan using tools like nmap or ping sweeps to identify active devices on the network and the services they offer. Thats how you can narrow down potential targets and further investigate their services to see if they are vulnerable to specific exploits.

In our case we use the command nmap 192.168.1.0/24. This will show us all active ip addresses on the network:


Samba2.png


Samba3.png


We can observe that the ip 192.168.1.135 has a lot of open ports, so we assume that this device could be vulnerable and invest further by running a service version detection on this ip address with nmap 192.168.1.135 -sV:


Samba4.png


This shows us that it is indeed the device that use metasploitable. Also we can see now all services and decide which one we want to exploit. As can be seen the ports 139 and 445 are open and both use Samba with a version that is in the range of the vulnerable versions of SambaCry.


Step 3

Now that we discovered a vulnerable device we start the metasploit framework on the attacer machine with 

msfconsole

If you don´t already have it you need to install it with 

sudo apt install metasploit-framework

We can then search for samba do find the correct exploit or directly enter the CVE code to find it:


Samba5.png


Samba6.png


We then select it by the keyword use:


Samba7.png


By using the command options, we can see all exploit options we need/can set.

When all options are set you can start the exploit by the command "run" or "exploit". It then opens a reverse shell where you can issue the commands you like on the victims machine.



Mitagtion

Firewalls can be used to block access from untrusted networks to port tcp/445 and tcp/139.

samba.org also released patched versions of their software, including ones for older, unsupported releases. Upgrading to one of these versions and restarting smbd fixes the issue.

Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.



References

Retrieved from "https://wiki.elvis.science/index.php?title=SambaCry&oldid=17890"