Author: cyg07 && redrain
2017 5 May 24, Samba released a 4. 6. 4 version, in the middle fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the vulnerability affects Samba 3.5.0 and including 4. 6. 4/4. 5. 10/4. 4. 14 the intermediate version. 360 Network Security Center and 360 information security portion of the Gear Team first time on the vulnerabilities were analyzed, to confirm belonging to the serious vulnerability can cause remote code execution.
As the official described the vulnerability only by one can be written to the Samba user permissions can mention the right to the samba server where the root permissions on the samba default is the root user execution.
From the Patch perspective, then, the is_known_pipename function of the pipename exists in the path of the symbol will have problems:
! [](/Article/UploadPic/2017-5/2017525114112452. png)
Then extend the lower smb_probe_module function will form the announcement that loaded the attacker to upload the dll to arbitrary code execution:
! [](/Article/UploadPic/2017-5/2017525114112658. png)
Specific attack process:
The specific result of the attack is as follows: