BI.ZONE team has developed a special utility software – vulnerability scanner SambaCry. The scanner detects vulnerability CVE-2017-7494 which is peculiar for all version of Samba software starting from version 3.5.0
This vulnerability is relatively easy to exploit and provides for remote code execution on a target system. In case of successful attack perpetrator can gain control over vulnerable Linux and Unix systems.
Vulnerability exists in the function “is_known_pipename”.
In order to process special RPC requests, this function attempts to call RPC module under the name equal to the name of the requested channel (pipe).
However, if the name of the channel is an absolute path (starting with slash symbol), the module in the function of additional module upload is uploaded through the absolute path instead of the catalogue with RPC modules as the developers first implied.
The exploit for this vulnerability can also be found in the Internet. The execution of the malicious code requires one mere line of code.
Our team has developed the scanner which allows to detect vulnerability CVE-2017-7494. The scanner is available here.
SambaCry scanner tool by BiZone
Usage of ./sambacry_scaner.exe:
Output CSV file with hosts that are not vulnerable. Example: clear.csv
File with list of targets to scan. Each address or netmask on new line.
IP network address. Example: 10.0.1.0/24
Output file with results of scan in CSV format. Example: results.csv
Count of concurrent workers. (default 200)
Password for the archive
$ sha1sum.exe sambacry_scanner.exe
$ sha1sum.exe sambacry_scanner.go