10
HIGH

CVE-2017-7494

Published: 30/05/2017 Updated: 21/10/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

Vulnerability Summary

Advisory (ICSA-17-180-02)

Schneider Electric U.motion Builder (Update A)

Samba could be made to run programs as an administrator.

Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Product Versions
SambaSamba3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14, 3.5.15, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.5.20, 3.5.21, 3.5.22, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11, 3.6.12, 3.6.13, 3.6.14, 3.6.15, 3.6.16, 3.6.17, 3.6.18, 3.6.19, 3.6.20, 3.6.21, 3.6.22, 3.6.23, 3.6.24, 3.6.25, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21, 4.0.22, 4.0.23, 4.0.24, 4.0.25, 4.0.26, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.1.21, 4.1.22, 4.1.23, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.5

Vendor Advisories

Synopsis Important: samba security update Type/Severity Security Advisory: Important Topic An update for samba is now available for Red Hat Enterprise Linux 62 Advanced Update Support, Red Hat Enterprise Linux 64 Advanced Update Support, Red Hat Enterprise Linux 65 Advanced Update Support, Red Hat Enterp ...
Synopsis Important: samba3x security update Type/Severity Security Advisory: Important Topic An update for samba3x is now available for Red Hat Enterprise Linux 5 ExtendedLifecycle SupportRed Hat Product Security has rated this update as having a security impact ofImportant A Common Vulnerability Scoring ...
Synopsis Important: samba security update Type/Severity Security Advisory: Important Topic An update for samba is now available for Red Hat Gluster Storage 32 for RHEL 6 and Red Hat Gluster Storage 32 for RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Com ...
Synopsis Important: samba security update Type/Severity Security Advisory: Important Topic An update for samba is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scorin ...
Synopsis Important: samba4 security update Type/Severity Security Advisory: Important Topic An update for samba4 is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Samba could be made to run programs as an administrator ...
Samba could be made to run programs as an administrator ...
steelo discovered a remote code execution vulnerability in Samba, a SMB/CIFS file, print, and login server for Unix A malicious client with access to a writable share, can take advantage of this flaw by uploading a shared library and then cause the server to load and execute it For the stable distribution (jessie), this problem has been fixed in ...
On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system This vulnerability has been assigned CVE ID CVE-2017-7494 This advisory is available at the following link: toolsciscocom/security/center/content/CiscoSec ...
Arch Linux Security Advisory ASA-201705-22 ========================================== Severity: High Date : 2017-05-30 CVE-ID : CVE-2017-7494 Package : samba Type : arbitrary code execution Remote : Yes Link : securityarchlinuxorg/AVG-279 Summary ======= The package samba before version 4510-1 is vulnerable to arbitrary co ...
A remote code execution flaw was found in Samba A malicious authenticatedsamba client, having write access to the samba share, could use this flaw toexecute arbitrary code as root (CVE-2017-7494 ) It was found that Samba always requested forwardable tickets when using Kerberos authentication A service to which Samba authenticated using Kerberos ...
All versions of Samba from 350 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it ...

ICS Advisories

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(in ...
#! /usr/bin/env python # Title : ETERNALRED # Date: 05/24/2017 # Exploit Author: steelo <knownsteelo@gmailcom> # Vendor Homepage: wwwsambaorg # Samba 350 - 454/4510/4414 # CVE-2017-7494 import argparse import ospath import sys import tempfile import time from smbSMBConnection import SMBConnection from smb import smb_st ...

Mailing Lists

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 350 to 4414, 4510, and 464 This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder In some cases, anonymous access combined with common filesys ...
Samba version 350 remote code execution exploit Written in python ...
Samba versions 350 through 4414, 4510, and 464 is_known_pipename() remote code execution exploit ...

Nmap Scripts

smb-vuln-cve-2017-7494

Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494.

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:16:04:53 (VMware)

| smb-vuln-cve-2017-7494:
|   VULNERABLE:
|   SAMBA Remote Code Execution from Writable Share
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-7494
|     Risk factor: HIGH  CVSSv3: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
|       All versions of Samba from 3.5.0 onwards are vulnerable to a remote
|       code execution vulnerability, allowing a malicious client to upload a
|       shared library to a writable share, and then cause the server to load
|       and execute it.
|
|     Disclosure date: 2017-05-24
|     Check results:
|       Samba Version: 4.3.9-Ubuntu
|       Writable share found.
|        Name: \\192.168.15.131\test
|       Exploitation of CVE-2017-7494 succeeded!
|     Extra information:
|       All writable shares:
|        Name: \\192.168.15.131\test
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494
|_      https://www.samba.org/samba/security/CVE-2017-7494.html

Metasploit Modules

Samba is_known_pipename() Arbitrary Module Load

This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

msf > use exploit/linux/samba/is_known_pipename
      msf exploit(is_known_pipename) > show targets
            ...targets...
      msf exploit(is_known_pipename) > set TARGET <target-id>
      msf exploit(is_known_pipename) > show options
            ...show and set options...
      msf exploit(is_known_pipename) > exploit

Github Repositories

SambaCry RCE exploit for Samba 459 Samba is a free software re-implementation of the SMB/CIFS networking protocol Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member As of version 4, it supports Active Directory and Microsoft Windows

CVE-2017-7494 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2017-7494 Image author: githubcom/opsxcq/exploit-CVE-2017-7494

SambaHunter It is a simple script to exploit RCE for Samba (CVE-2017-7494) Requirements sudo apt-get install smbclient pip install pysmbclient Usage # python sambahunterpy -h ____ _ _ _ _ / ___| __ _ _ __ ___ | |__ __ _| | | |_ _ _ __ | |_ ___ _ __ \___ \ / _` | '_ ` _ \| '_ \ / _` | |_| | | | | 

CVE-2017-7494 Remote root exploit for the SAMBA CVE-2017-7494 vulnerability Details This exploit is divided in 2 parts: First, it compiles a payload called "implantc" and generates a library (libimplantx32so or libimplantx64so) that changes to the root user, detaches from the parent process and spawns a reverse shell Second, it finds a writeable share in the spe

SambaCry CVE-2017-7494nse - Nmap Detection Script

CVE-2017-7494 CVE-2017-7494 C poc 利用CVE-2017-7494反弹shell 1首先编译samba_initc,生成libsambaso 2修改is_known_pipenamec中的相关地址,编译执行

Awesome Pentesting Tools A list of pentesting tools, packages and resources For more info, check out blackbuntu linux CRACKING TOOLS AccCheck labsportculliscouk/ Brutespray githubcom/x90skysn3k/brutespray CacheDump githubcom/moyix/creddump CeWL githubcom/digininja/CeWL CredCrack githubcom/gojhonny/CredCrack Crowbar githu

wannafind Simple script using nmap to detect CVE-2017-0143 MS17-010 (Windows SMB) and CVE-2017-7494 (SAMBA) in your network Usage: wannafindsh IP|Network wannafindsh 19216810/24

Samba-CVE-2017-7494 wwwzer0d0yinfo/post/notes-on-bug-hunting-labs/

Ansible role bertvvsamba An Ansible role for setting up Samba as a file server It is tested on CentOS, Debian, Ubuntu and Arch Linux Specifically, the responsibilities of this role are to: Install the necessary packages Configure SELinux settings (when SELinux is active) Create share directories Manage Samba users and passwords Manage access to shares The following are no

Scripts and Commands General Purpose Programs find find is a recursive search for file names Its general use is such: find path -name PATTERN An example would be something like this phillip:ScriptsAndCommands$ find ~/scripts -name "*sh" /home/phillip/scripts/serverStartsh /home/phillip/scripts/dns-enumsh /home/phillip/scripts/ScriptsAndCommands/dns-enumsh /ho

CVE-2017-7494 hello i,am Gihad from Libya &gt; 17 C information On Exploit ========================================================================================== This module triggers an arbitrary shared library load vulnerability in Samba versions 350 to 4414, 4510, and 464 This module requires valid credentials, a writeable folder in an accessible share, and k

Basic Setup Install Samba version 459 downloadsambaorg/pub/samba/stable/samba-459targz wikisambaorg/indexphp/Build_Samba_from_Source Get patched version of Impacket pip install -r requirementstxt Usage Start Samba server in interactive mode + debug print sudo /home/ubuntu/samba-459/bin/smbd -i --debuglevel=10 --configfile=/etc/samba/smbconf C

Pre-engagement Log all commands of the current session script engagement_xlog exit # when finished Use keepnote or other to document findings Create a screenshot of the selected area and save it at home directory $ alias ss='import ~/ss-$(date +%F_%H%M_%S)png' Set the Target IP Address to the $ip system variable
 $ export ip=target_ip General methodology

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

pentest-tools a collection of best pentest resources Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Contents Online Resources Penetration Testing Resources Exploit Development Open Source Intelligence (OSINT) Resources Social

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

Awesome Penetration Testing [] stored XSS that allows CSS injection : {}*{xss:expression(open(alert(1)))} URL Rewriting Relative addressing to CSS style sheet : /stylecss A collection of awesome penetration testing resources (javascript:prompt(1)) This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

Contents Online Resources Penetration Testing Resources Exploit Development Open Sources Intelligence (OSINT) Resources Social Engineering Resources Lock Picking Resources Operating Systems Tools Penetration Testing Distributions Docker for Penetration Testing Multi-paradigm Frameworks Network vulnerability scanners Static Analyzers Web Vulnerability Scanners Network To

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

MLRT Kolayca r00t olabileceğiniz bir program Hangi seneler için geçerli ? 2017 / 2016 / 2015 Hangi exploitler var ? CVE-2017-6074 / CVE-2017-7308 / CVE-2017-7494 / CVE-2016-2384 / CVE-2016-9793 / CVE-2015-1328 / CVE-2015-7547 Bunun bize ne kolaylığı var Sadece siz hangi exploiti istiyorsanız seçiyorsunuz ve program herşeyi kendisi hallediyor :)

raw:: html image:: /pictures/logopng raw:: html image:: imgshieldsio/badge/python-36-bluesvg :target: wwwpythonorg/downloads/release/python-366/ :alt: Python 36 image:: readthedocsorg/projects/jok3r/badge/?version=latest :target: jok3rreadthedocsio/en/latest/ :alt: Documentation ReadTheDocs image:: im

Name Description CVE-2015-5531 Directory traversal vulnerability in Elasticsearch before 161 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls CVE-2016-1909 Fortinet FortiAnalyzer before 5012 and 52x before 525; FortiSwitch 33x before 333; FortiCache 30x before 308; and FortiOS 41x before 4111, 42x

Jok3r - Network and Web Pentest Framework Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff To achieve that, it combines ope

Name Description CVE-2015-5531 Directory traversal vulnerability in Elasticsearch before 161 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls CVE-2016-1909 Fortinet FortiAnalyzer before 5012 and 52x before 525; FortiSwitch 33x before 333; FortiCache 30x before 308; and FortiOS 41x before 4111, 42x

awesome-c A curated list of awesome C frameworks, libraries and software git/git - Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored Please follow Documentation/SubmittingPatches procedure for any of your improvements SamyPesse/How-to-Make-a-Computer-Operating-System - How to Make a Computer Operating System in C++ ggreer/the_silve

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2016-5195  [Dirty cow] (Linux kernel&gt;2622 (released in 2007)) CVE-2016-0728  [pp_key] (380, 381, 382, 383, 38

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

Linux-Kernel-Exploit #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kernel before 414 - 44) CVE-2017-16939  

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Samba slip-up smackdown: HPE stops NonStop Server bugs
The Register • Richard Chirgwin • 11 Jul 2017

If SambaCry escaped your notice in June, get busy

HPE NonStop users running Samba need to get busy applying workarounds to a pair of remotely exploitable vulnerabilities.
The first, SambaCry, has been present in Samba since 2010 but was named and outed in late May 2017. Assigned CVE-2017-7494, it allowed a malicious Samba client with write access could execute code as root.
F5 Networks explained that all the attacker need do is upload a shared library to a writable share, because the server will execute it with the privileges of the...

Attackers Mining Cryptocurrency Using Exploits for Samba Vulnerability
Threatpost • Michael Mimoso • 12 Jun 2017

Unknown attackers are using a recently patched vulnerability in Samba to spread a resource-intensive cryptocurrency mining utility. To date, the operation has netted the attackers just under $6,000 USD, but the number of compromised computers is growing, meaning that a significant number of Samba deployments on *NIX servers remain unpatched.
The attack also demonstrates that the vulnerability in Samba, CVE-2017-7494, can extend EternalBlue-like attacks into Linux and UNIX environments. Sam...

SambaCry is coming
Securelist • Mikhail Kuzin Yaroslav Shmelev Dmitry Galov • 09 Jun 2017

Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems – EternalRed (aka SambaCry). This vulnerability (CVE-2017-7494) relates to all versions of Samba, starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package (4.6.4/4.5.10/4.4.14).
On May 30th our honeypots captured the first attack to make use of this particular vulnerability,...

Cisco, Netgear Readying Patches for Samba Vulnerability
Threatpost • Chris Brook • 31 May 2017

Device manufacturers are combing through code again this week to determine whether their products are affected by a vulnerability tied to the SMB file-sharing protocol.
The vulnerability, (CVE-2017-7494) disclosed last Wednesday, affects versions of 3.5.0 onward of Samba, the free software re-implementation of the SMB/CIFS networking protocol. If exploited, the bug could allow authenticated attackers to execute arbitrary code remotely and take control of an affected system.

Sa...

Samba Patches Wormable Bug Exploitable With One Line Of Code
Threatpost • Tom Spring • 25 May 2017

A patch for a critical vulnerability impacting the free networking software Samba was issued Wednesday. The flaw poses a severe threat to users, with approximately 104,000 Samba installations vulnerable to remote takeover. More troubling, experts say, the vulnerability can be exploited with just one line of code.
Samba is a popular standard for providing Windows-based file and print services. It allows for interoperability between Unix and Linux systems and Microsoft Windows. With it, Lin...

Fat-thumbed dev slashes Samba security
The Register • Richard Chirgwin • 25 May 2017

Remote code execution in all versions since 3.5.0, so it's patching time!

Sysadmins tending Samba need to get patching.
Samba's announcement, here, explains that it's suffering from a remote code execution bug that applies to all versions newer than Samba 3.5.0.
The software, currently at version 4.6.4, provides *nix integration with Windows file and print services.
In CVE-2017-7494, a malicious client can “upload a shared library to a writable share, and then cause the server to load and execute it.”
The advisory is scant on how this happe...

References