SambaCry: The Linux Sequel to WannaCry

2024 Cybersecurity Predictions


 

Need-to-Know Facts

How Bad Is It, Really?

Samba is an open source network application that provides the same functionality as Microsoft Server Message Block (SMB). SMBv1 was the target of the EternalBlue exploit, which runs on Microsoft systems. However, Samba is not the same application. Because Samba is added to Unix systems for file share compatibility to Microsoft systems, it is often not running out of the box. Granted, it’s on nearly every Linux distribution, but not everyone uses it. Samba is also used on many network appliances and devices, as these devices often use Linux as their internal operating system. Therefore, Linux systems and many network appliances are potentially vulnerable.

The vulnerability requires the following conditions:

  1. smbd must be running on a port accessible to the attacker (tcp/445)
  2. the “nt pipe support” setting must be enabled (on by default) in smb.conf
  3. the attacker must have access to a writeable share

Notably, the attacker does not have to have authenticated access if they can write to the writable share anonymously.

In order to exploit the vulnerability, the attacker would upload a shared object file to the writeable share and issue a simple command to cause smbd to execute the shared object.

This will cause the smbd process to execute the code contained in the target.so file with its level of privilege, which is usually root. The Metasploit exploit module allows the attacker to choose the payload. An attacker who is in a position to leverage this vulnerability will have full access to the entire system with root level privileges.

Threat Scope

A shodan.io query of “port:445 !os:windows” shows approximately one million non-Windows hosts that have tcp/445 open to the Internet, more than half of which exist in the United Arab Emirates (36%) and the U.S. (16%).

 



Source link
lol

  Need-to-Know Facts CVE-2017-74942 has a CVSS Score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3. This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code typically as root. The flaw allows a malicious client to upload a shared library to…

Leave a Reply

Your email address will not be published. Required fields are marked *