) help offered
brief intro to sambacryHow bad is it?
The internet is not on fire yet, but there’s a lot of potential for it to get pretty nasty. If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial.
In a Project Sonar scan run today, Rapid7 Labs discovered more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445. Of those, almost 90% (92,570) are running versions for which there is currently no direct patch available. In other words, “We're way beyond the boundary of the Pride Lands.” (sorry - we promise that’s the last Lion King reference. Maybe.)
QNAP Security Advisory | Bulletin ID: NAS-201705-27
Taipei, Taiwan, May 27, 2017 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Advisory for Samba Writable Share Vulnerability
Release date: May 27, 2017
Last updated: May 27, 2017
Bulletin ID: NAS-201705-27
Severity rating: High
CVE identifier: CVE-2017-7494
Affected products: All NAS running QTS
Summary
The Samba team has released an advisory for CVE-2017-7494, a vulnerability that may allow users with write access to upload a shared library to a writeable shared folder and then execute malicious code.
Solution
QNAP is currently working on a fix and will release an update in the coming days. For manually applying a workaround, refer to QNAP Forum ( viewtopic.php?f=5&t=132991&p=617561#p617561)
References:
https://www.samba.org/samba/security/CVE-2017-7494.html
https://www.samba.org/samba/history/security.html
https://access.redhat.com/security/cve/CVE-2017-7494
highly recommended to subscribe. or at the very least check the security bulletin from time to time Attack code
After seeing the announcement, the founder of the penetration test framework Metasploit @hdmoore quickly developed a vulnerability verification code that only needs a line of code to take advantage of:Currently the vulnerability in Metasploit already has a module that can be used to validate Ubuntu 16.04 and Fortune NAS devices, and more versions are still validated.Code: Select all
Simple.create_pipe ("/ path / to / target.so")
[youtube=]BVZBcNDDC-4[/youtube]PRODUCT UPDATE 3 - 5/25/17 -
We now have a Metasploit module available for this vulnerability,
https://community.rapid7.com/external-l ... n_pipename
so you can see whether you can be exploited via Samba CVE-2017-7494, and understand the impact of such an attack. Download Metasploit to try it out.
https://community.rapid7.com/external-l ... ownload%2F
Code: Select all
cp /etc/config/smb.conf /etc/config/smb.conf.copy;sed -i '/^nt pipe support/d' /etc/config/smb.conf;sed -i '/\[global\]/ant pipe support = no' /etc/config/smb.conf;/etc/init.d/smb.sh restartCode: Select all
mv /etc/config/smb.conf.copy /etc/config/smb.conf;sed -i '/^nt pipe support/d' /etc/config/smb.conf;/etc/init.d/smb.sh restartFor all NAS models running QTS 4.3.3 to be correct.ensignvorik wrote:Looks like the forum post has been updated to include Qfixes for all models now.