Have you heard of the Samba project? It’s a popular open source project that is used on Linux and Unix machines so that they work with Windows file and print services. The project lets you work as a client that enables you to connect to Windows servers, as well as a server designed to accept connections from Windows clients.
Samba can be used as an Active Directory server to handle logon, authentication and access control for a Windows network.
A Remote Code Execution (RCE) Bug Found in Samba’s SMB Implementation
An interesting fact here is that Samba’s name stems from SMB, or Server Message Block, which has been all over the news lately due to the WannaCry ransomware outbreak. The attack was based on a self-spreading ransomware with worm-like behavior that spread itself automatically from network to network via the already-famous SMB flaw in Windows.
As it turned out, this flaw had been present for a long time, only discovered by the NSA and dubbed EternalBlue, until the ShadowBrokers made it public. The hacking group somehow obtained it in a cache of data that was most likely leaked, breached or stolen.
As you already know, Microsoft has now patched the SMB flaw but the hackers decided to make its details public, together with some other stolen data. People who think that the WannaCry outbreak was something unique or unseen in the cybercrime world, are wrong because similar worm-like attacks have been observed in the recent past – the Internet Worm from 1988, Slammer from 2003, and the infamous Conficker from 2008.
And the bad news here is that thanks to cross-platforms such as Samba, network security holes triggered by the SMB flaw and Windows file sharing services are not limited only to Windows. As it turns out, there has been a remote code execution bug – identified as CVE-2017-7494 – in Samba’s SMB implementation.
Details about CVE-2017-7494
- Type: Remote code execution from a writable share
- Versions affected: All versions of Samba from 3.5.0 onwards
- Description: Malicious clients can upload and cause the smbd server to execute a shared library from a writable share.
Theoretically, this vulnerability could be deployed in another wormable attack, or an automated type of intrusion where a compromised machine searches for new victims to perform further damage, as explained by Sophos researchers.
CVE-2017-7494 can be triggered in a scenario like the following:
- Locate a writable network share on a vulnerable Samba server;
- Copy a Linux/Unix program called a shared object (a .so file) into that writable share.
This is the point where the malware is introduced to the targeted machine via a malicious .so program file, but it is doing nothing. Thanks to the bug however a remote attacker could trick the Samba server into loading and running the .so file, researchers explain:
- Guess the local filename of the uploaded file on the server you are attacking. (The remote name via the share might be \\SERVER\SHARE\dodgy.so; that file might end up in the server’s local directory tree as, say, /var/samba/share/dodgy.so.)
- Send Samba a specially-malformed IPC request (interprocess communication, or computer-to-computer message) that identifies the local copy of the malware by full path name.
- The malformed IPC request tricks the server into loading and running the locally-stored program file, even though that file came from an untrusted external source.
Researchers note that CVE-2017-7494 is harder to exploit because not every SMB service is exploitable. However, there is a certain amount of risk:
If you have Samba installed but are only using it as a client to connect out to other file shares, the exploit can’t be used because there is no listening server for a crook to connect to.
If you have Samba shares open but they are configured read-only (for example if you are using Samba to publish updates to Windows PCs on your network), the exploit can’t be usedbecause the crooks can’t upload their malware file to start the attack.
If you have writable Samba shares but you have set the Samba configuration option nt pipe support = no, the exploit can’t be used because the crooks can’t send the malformed IPC requests to launch the malware they just uploaded.
Lastly, users that update their Samba version to 4.6.4 or 4.5.10/ 4.4.14 for older releases, the exploit won’t be triggered. As to why, Samba won’t accept the malformed IPC request referring the uploaded malware by its local path name.
In conclusion, users are advised to check their network because the interest in SMB services is still quite high on the hackers’ side.