Fat-thumbed dev slashes Samba security
Sysadmins tending Samba need to get patching.
Samba’s announcement, here, explains that it’s suffering from a remote code execution bug that applies to all versions newer than Samba 3.5.0.
The software, currently at version 4.6.4, provides *nix integration with Windows file and print services.
In CVE-2017-7494, a malicious client can “upload a shared library to a writable share, and then cause the server to load and execute it.”
The advisory is scant on how this happened, but if The Register’s reading of the patch note is accurate, the bug’s in Samba’s RPC (remote procedure call) server component.
Apparently, the unpatched RPC server accepted pipe names that included the “” character – in other words, it looks like a directory traversal bug (feel free to correct us in the comments), so the fix is to refuse to open a connection if the pipe matches the regex %sn.
HD Moore Tweeted that the bug could be exploited with a single line:
Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe(“/path/to/target.so”)
— HD Moore (@hdmoore) May 24, 2017
The patch is here. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/25/fatthumbed_dev_slashes_samba_security/