Vulnerability scanner SambaCry

BI.ZONE team has developed a special utility software — vulnerability scanner SambaCry. The scanner detects vulnerability CVE-2017-7494 which is peculiar for all version of Samba software starting from version 3.5.0

This vulnerability is relatively easy to exploit and provides for remote code execution on a target system. In case of successful attack perpetrator can gain control over vulnerable Linux and Unix systems.

Vulnerability exists in the function «is_known_pipename».

In order to process special RPC requests, this function attempts to call RPC module under the name equal to the name of the requested channel (pipe).

However, if the name of the channel is an absolute path (starting with slash symbol), the module in the function of additional module upload is uploaded through the absolute path instead of the catalogue with RPC modules as the developers first implied.

The exploit for this vulnerability can also be found in the Internet. The execution of the malicious code requires one mere line of code.

simple.create_pipe("/path/to/target.so")

Our team has developed the scanner which allows to detect vulnerability CVE-2017-7494. The scanner is available here.

Usage instructions

SambaCry scanner tool by BiZone

Usage of ./sambacry_scaner.exe:

Output CSV file with hosts that are not vulnerable. Example: clear.csv

File with list of targets to scan. Each address or netmask on new line.

IP address

IP network address. Example: 10.0.1.0/24

Output file with results of scan in CSV format. Example: results.csv

Verbose output

Count of concurrent workers. (default 200)

Download utility

sambacry.7z

Password for the archive

sambacry

Checksums

$ sha1sum.exe sambacry_scanner.exe
b44c5e7e8c8cd121d83020b7fdc5844c482e0968

$ sha1sum.exe sambacry_scanner.go
c0a47933c56d4aa6168b4726194dc5f0bda37eef