SambaCry vulnerability scanner
The scanner detects the vulnerability CVE-2017-7494 which exists in all versions of Samba starting from version 3.5.0.
This vulnerability is relatively easy to exploit; it allows remote code execution on a target system. In case of a successful attack, the malicious actor can gain control over vulnerable Linux and Unix systems.
The vulnerability exists in the function “is_known_pipename”.
In order to process special RPC requests, this function attempts to call the RPC module with the same name as the requested channel (“pipe”).
However, if the name of the channel is an absolute path (starting with a slash character), the extension module's loader function downloads the module using the absolute path rather than from the RPC module's folder, as originally designed by the developers.
The exploit for this vulnerability can also be found in the Internet. The execution of the malicious code requires one mere line of code:
Our team has developed a scanner that allows to detect the CVE-2017-7494 vulnerability. The scanner is available here.
- This checker uses version detect for vulnerability check.
- If you have turned off the PIPES functionality, your host may not be vulnerable.
- If you have disabled the write operation for all directories on your Samba server, your host may not be vulnerable.
- If you have turned off banners, the scanner may yield incorrect results.
- If the scanner can not authenticate to Samba, it’s impossible to get banner with version.
The SambaCry scanner tool by BiZone
Usage of ./sambacry_scaner.exe:
- clear_hosts string
The output CSV file with hosts that are not vulnerable. Example: clear.csv
- file string
The file with a list of targets to scan. Each address or netmask must be on a new line.
- ip string
The IP address
- net string
The network IP address. Example: 10.0.1.0/24
- out string
The output file with scan results in CSV format. Example: results.csv
- workers int
Count of concurrent workers. (The default value: 200)
The archive's password is “sambacry”
$ sha1sum.exe sambacry_scanner.exe
$ sha1sum.exe sambacry_scanner.go