Vulnerability scanner SambaCry

SambaCry vulnerability scanner

BI.ZONE team has developed a special utility software—the SambaCry vulnerability scanner 
May 26, 2017

The scanner detects the vulnerability CVE-2017-7494 which exists in all versions of Samba starting from version 3.5.0.

This vulnerability is relatively easy to exploit; it allows remote code execution on a target system. In case of a successful attack, the malicious actor can gain control over vulnerable Linux and Unix systems.

The vulnerability exists in the function “is_known_pipename”.

In order to process special RPC requests, this function attempts to call the RPC module with the same name as the requested channel (“pipe”).

However, if the name of the channel is an absolute path (starting with a slash character), the extension module's loader function downloads the module using the absolute path rather than from the RPC module's folder, as originally designed by the developers.

The exploit for this vulnerability can also be found in the Internet. The execution of the malicious code requires one mere line of code:

simple.create_pipe("/path/to/target.so")

Our team has developed a scanner that allows to detect the CVE-2017-7494 vulnerability. The scanner is available here.


Usage instructions

  • This checker uses version detect for vulnerability check.
  • If you have turned off the PIPES functionality, your host may not be vulnerable.
  • If you have disabled the write operation for all directories on your Samba server, your host may not be vulnerable.
  • If you have turned off banners, the scanner may yield incorrect results.
  • If the scanner can not authenticate to Samba, it’s impossible to get banner with version.

The SambaCry scanner tool by BiZone

Usage of ./sambacry_scaner.exe:

  • clear_hosts string

The output CSV file with hosts that are not vulnerable. Example: clear.csv

  • file string

The file with a list of targets to scan. Each address or netmask must be on a new line.

  • ip string

The IP address

  • net string

The network IP address. Example: 10.0.1.0/24

  • out string

The output file with scan results in CSV format. Example: results.csv

  • verbose

Verbose output

  • workers int

Count of concurrent workers. (The default value: 200)


Download utility

sambacry.7z

The archive's password is “sambacry”


Checksums

$ sha1sum.exe sambacry_scanner.exe
b44c5e7e8c8cd121d83020b7fdc5844c482e0968

$ sha1sum.exe sambacry_scanner.go
c0a47933c56d4aa6168b4726194dc5f0bda37eef