Linux SambaCry

May 25, 2017 by Pedro Umbelino 25 Comments

Great news everyone, Windows is not the only operating system with remote code execution via SMB. Linux has also its own, seven-year-old version of the bug. /s

This Linux remote execution vulnerability (CVE-2017-7494) affects Samba, the Linux re-implementation of the SMB networking protocol, from versions 3.5.0 onwards (since 2010). The SambaCry moniker was almost unavoidable.

The bug, however, has nothing to do on how Eternalblue works, one of the exploits that the current version of WannaCry ransomware packs with. While Eternalblue is essentially a buffer overflow exploit, CVE-2017-7494 takes advantage of an arbitrary shared library load. To exploit it, a malicious client needs to be able to upload a shared library file to a writeable share, afterwards it’s possible for the attacker to cause the server to load and execute it. A Metasploit exploit module is already public, able to target Linux ARM, X86 and X86_64 architectures.

A patch addressing this defect has been posted to the official website and Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are also available. If you can’t apply the patch at the moment, the workaround is to add the parameter “nt pipe support = no” to the [global] section of your smb.conf and restart smbd. Note that this can disable some expected functionality for Windows clients.

Meanwhile, NAS vendors start to realise they have work on their hands. Different brands and models that use Samba for file sharing (a lot, if not all, of them provide this functionality) will have to issue firmware updates if they want to patch this flaw. If the firmware updates for these appliances take the same time they usually do, we will have this bug around for quite some time.

Microsoft Live Account Credentials Leaking From Windows 8 And Above

August 2, 2016 by Moritz Walter 62 Comments

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

Continue reading “Microsoft Live Account Credentials Leaking From Windows 8 And Above” →

Android App “tests” Windows Vulnerability

September 14, 2009 by Mike Szczys 48 Comments

android_windows_vulnerability_checker

An Android App for “testing” the Windows SMB2 vulnerability we covered last week has been released. For testing? Yeah right! The availability of this kind of software makes it ridiculously easy for anybody to go out and cause some havoc. Go right now and double check that your machines that run Windows Vista or Windows Server 2008 are protected (see the “workarounds” section.)

[Thanks Tom101]

Windows 7 And Vista Crash Via SMB Exploit

September 9, 2009 by Mike Szczys 40 Comments

vista_dx10_bsod

[Laurent Gaffié] has discovered an exploit that affects Windows Vista, Windows 7, and possibly Windows Server 2008 (unconfirmed). This method attacks via the NEGOTIATE PROTOCOL REQUEST which is the first SMB query sent. The vulnerability is present only on Windows versions that include Server Message Block 2.0 and have the protocol enabled. A successful attack requires no local access to the machine and results in a Blue Screen of Death.

[Laurent] has a proof of concept available with his writeup in the form of a python script (please, white hat use only). There is no patch for this vulnerability but disabling the SMB protocol will protect your system until one is available.

Update: According to the Microsoft advisory this vulnerability could lead to code execution, making it a bit worse than we thought. On the bright side, they claim that the final version of Windows 7 is not open to this attack, only Windows Vista and Windows Server 2008.

[via Full Disclosure]

[picture: Inquirer]

Theremin Controlled Mario

June 15, 2009 by Eliot 24 Comments

[youtube=http://www.youtube.com/watch?v=YnZeI8uLJnw]

In the video above, [conquerearth] is using a theremin to control Super Mario Bros. Moving his hand toward and away from the vertical antenna increases the theremin’s pitch. The computer monitors this in real time and moves Mario left and right. The loop antenna controls the theremin’s volume and acts as the jump button. The controls seem to work well, much better than the sound of one man flailing at a theremin.

[via Gizmodo]

Raid Your Network File Shares

December 29, 2007 by Will O'Brien 6 Comments

[Motoma] sent in his take on the virtual RAID 5 post. He didn’t like the layered system requirements, so he put together a proof of concept that only requires a Linux box. For his proof, he used a NFS share, a SMB share and did everything from the command line. He didn’t cover FTP, but the Gentoo wiki has a nice cheat sheet for mounting FTP and folders over SSH if you want some alternatives. He uses some very interesting partition tricks to make things happen. If you need some help to get things rolling, the Ubuntu forums software raid how-to is a good place to start.