ALIENONE BLOG

CVE-2007-2447

EXPLOITS Jun 30, 2021

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution

  • This is a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3.
  • To understand how this attack works, let's check the explanation from the official samba website:
This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the "username map script " smb.conf option , which is not enabled by default.
After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the "username map script" vulnerability, the remote file and printer management scripts require an authentication user session.

Source link: https://www.samba.org/samba/security/CVE-2007-2447.html

  • So basically, the username map script is a configuration that we can set up to allow mapping users in the authentication flow. What happens here is that the function allows non-escaped meta-characters. So we can pass shell commands by sending specific characters as a username argument to open a reverse shell to our local machine.

PoC:

For educational/research purposes, I created a python script to exploit this vulnerability and gain a reverse shell.

Alien0ne/CVE-2007-2447
CVE-2007-2447 - Samba usermap script. Contribute to Alien0ne/CVE-2007-2447 development by creating an account on GitHub.
GitHubAlien0ne
  • You may refer to the article below for the PoC.
Hack The Box : Lame
Lame is a retired machine available on the HackTheBox platform. It is is the first machine published on HackTheBox. This room is rated as easy and recommended for beginners.This room is created by @ch4p.
ALIENONE BLOGNarasimha Tiruveedula

References :

CVE - 2007-2447
OSVDB - 34700
BID  - 23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html
https://www.exploit-db.com/exploits/16320

Thanks for reading! Make sure you subscribe to the blog for more upcoming exploits writeups!

NOTE: The awesome artwork used in this article was created by @NhatHuynh

Tags

Narasimha Tiruveedula

A Cybersecurity enthusiast from INDIA. I have practical experience of exploiting machines . I want to continue my career in cybersecurity, where I can apply my knowledge to continually enhance myself.