Samba remote code execution vulnerability(CVE-2017-7494)analysis-vulnerability warning-the black bar safety net

Author: cyg07 && redrain

Overview

2017 5 May 24, Samba released a 4. 6. 4 version, in the middle fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the vulnerability affects Samba 3.5.0 and including 4. 6. 4/4. 5. 10/4. 4. 14 the intermediate version. 360 Network Security Center and 360 information security portion of the Gear Team first time on the vulnerabilities were analyzed, to confirm belonging to the serious vulnerability can cause remote code execution.

Technical analysis

As the official described the vulnerability only by one can be written to the Samba user permissions can mention the right to the samba server where the root permissions on the samba default is the root user execution.

From the Patch perspective, then, the is_known_pipename function of the pipename exists in the path of the symbol will have problems:

! [](/Article/UploadPic/2017-5/2017525114112452. png)

Then extend the lower smb_probe_module function will form the announcement that loaded the attacker to upload the dll to arbitrary code execution:

! [](/Article/UploadPic/2017-5/2017525114112658. png)

Specific attack process:

1. Construct a’/’ symbol pipes the name or path name, such as “/home/toor/cyg07. so”
2. Via the smb Protocol the initiative to let the server smb return the FID
3. The subsequent direct request from the FID into the above mentioned malicious processes

The specific result of the attack is as follows:

1. Try to load “/home/toor/cyg07. so” maliciously so! [](/Article/UploadPic/2017-5/2017525114113647. png)
2. Which the so the code is as follows(when loaded will call samba_init_module export function)! [](/Article/UploadPic/2017-5/2017525114113327. png)
3. Finally, we can be in/tmp/360sec seen the actual execute permissions(with root permissions)! [](/Article/UploadPic/2017-5/2017525114113328. png)

[1] [2] next