The Trans2open Vulnerability

The trans2open vulnerability, sometimes also referred to as ”trans2 vulnerability”, is a weakness that can be found in Samba versions 2.2.0 to 2.2.8. It was disclosed in 2003, at which time the Samba Port 139 was one of the most attacked ports worldwide. The vulnerability consists in a buffer overflow (BOF) that can be exploited remotely. Basically, this overflow provides an adversary with lots of attacking options. For once, it can be used to execute arbitrary code on the affected system and even open a reverse-shell with root privileges. Another exploitation includes implanting a backdoor. The trans2open vulnerability poses an extreme danger to any system that employs an effected Samba version and should be removed immediately.

Related CVEs include CVE-2003-0196, CVE-2003-0201 and CVE-2003-0345.

Samba

Samba is an open-source, cross-platform software that facilitates file and printer sharing across different operating systems within a network. Primarily, it enables seamless file sharing between Windows and Linux/Unix systems. With Samba, a Linux file server can function within a Windows network, allowing users to access directories and files as if they were on a Windows machine. Initially released in 1992, Samba has grown significantly in popularity over the years. According to its official website, it is recognized as the standard suite of programs for Windows interoperability on Linux and Unix systems.

SMB

Samba implements the Server Message Block (SMB) protocol, which is a network protocol designed for sharing files, printers, and serial ports between nodes on a network. It operates over TCP/IP. Originally developed by IBM in 1983, SMB was later adapted by Microsoft in 1996 into the Common Internet File System (CIFS). While CIFS is sometimes used interchangeably with SMB, it only encompasses the features of SMB 1.0 and is largely outdated today. SMB has evolved over the years, with several versions, including SMB1, SMB2, and SMB3, each introducing improvements in performance, security, and functionality. Modern versions of SMB support interprocess communication and authentication methods such as Kerberos and NTLM (NT LAN Manager). Both Samba and SMB are widely used for communication and resource sharing across various IT systems.

Exploitation

The vulnerability can be exploited in many different ways. However, they all rely on the remote command execution that is enabled through the buffer overflow.

A client-supplied string is copied into a fixed-size buffer. However, this is done without comparing the size of the buffer to the length of the string beforehand. The buffer is allocated on the stack during a function call. Therefore, the overflow can easily overwrite the copy of the instruction pointer that is saved on the stack.

Metasploit

The metasploit framework offers modules that target the vulnerability. One module is specifically designed to determine the version of Samba running on a specific port. It can be found in scanner/smb/smb_version.

For exploitation metasploit offers the following modules:

• exploit/freebsd/samba/trans2open
• exploit/linux/samba/trans2open
• exploit/osx/samba/trans2open
• exploit/solaris/samba/trans2open

Most of them open a TCP shell back to the attacker.

A lot of other exploits can be found on the internet. Many of them seem to have roots going back trans2root.pl and sambal.c, which where one of the first exploits.

Prevention

The best defensive action is to remove the vulnerability before it can be exploited. The following nmap command be used to scan for servers running Samba:

nmap -sT -p 137,139,445 -O TARGET_IP

If a vulnerable Samba version is running on a server, the following countermeasures can be taken:

• Upgrade the software to higher safe version (2.2.9 or 3.X.X). This is the best solution.
• Block external access to TCP port 139 (and 445) from any network firewalls.
• "Misconfigure" Samba so that anonymous access does not work. At lot of exploits rely on this feature. Do this by setting the guest account user to a non-existent name in the smb.conf file.

References

• https://www.giac.org/paper/gcih/484/exploiting-sambas-smbtrans2-vulnerability/105385
• https://www.samba.org/samba/history/samba-2.2.9.html
• https://seclists.org/bugtraq/2003/Apr/103
• https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open/
• https://www.exploit-db.com/exploits/22468
• https://nvd.nist.gov/vuln/detail/CVE-2003-0201
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0201