ID CVE-2017-7494
Summary Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
References
Vulnerable Configurations
  • Samba 3.5.0
    cpe:2.3:a:samba:samba:3.5.0
  • Samba 3.5.1
    cpe:2.3:a:samba:samba:3.5.1
  • Samba 3.5.2
    cpe:2.3:a:samba:samba:3.5.2
  • Samba 3.5.3
    cpe:2.3:a:samba:samba:3.5.3
  • Samba 3.5.4
    cpe:2.3:a:samba:samba:3.5.4
  • Samba 3.5.5
    cpe:2.3:a:samba:samba:3.5.5
  • Samba 3.5.6
    cpe:2.3:a:samba:samba:3.5.6
  • Samba 3.5.7
    cpe:2.3:a:samba:samba:3.5.7
  • Samba 3.5.8
    cpe:2.3:a:samba:samba:3.5.8
  • Samba 3.5.9
    cpe:2.3:a:samba:samba:3.5.9
  • Samba 3.5.10
    cpe:2.3:a:samba:samba:3.5.10
  • Samba 3.5.11
    cpe:2.3:a:samba:samba:3.5.11
  • Samba 3.5.12
    cpe:2.3:a:samba:samba:3.5.12
  • Samba 3.5.13
    cpe:2.3:a:samba:samba:3.5.13
  • Samba 3.5.14
    cpe:2.3:a:samba:samba:3.5.14
  • Samba 3.5.15
    cpe:2.3:a:samba:samba:3.5.15
  • Samba 3.5.16
    cpe:2.3:a:samba:samba:3.5.16
  • Samba 3.5.17
    cpe:2.3:a:samba:samba:3.5.17
  • Samba 3.5.18
    cpe:2.3:a:samba:samba:3.5.18
  • Samba 3.5.19
    cpe:2.3:a:samba:samba:3.5.19
  • Samba 3.5.20
    cpe:2.3:a:samba:samba:3.5.20
  • Samba 3.5.21
    cpe:2.3:a:samba:samba:3.5.21
  • Samba 3.5.22
    cpe:2.3:a:samba:samba:3.5.22
  • Samba 3.6.0
    cpe:2.3:a:samba:samba:3.6.0
  • Samba 3.6.1
    cpe:2.3:a:samba:samba:3.6.1
  • Samba 3.6.2
    cpe:2.3:a:samba:samba:3.6.2
  • Samba 3.6.3
    cpe:2.3:a:samba:samba:3.6.3
  • Samba 3.6.4
    cpe:2.3:a:samba:samba:3.6.4
  • Samba 3.6.5
    cpe:2.3:a:samba:samba:3.6.5
  • Samba 3.6.6
    cpe:2.3:a:samba:samba:3.6.6
  • Samba 3.6.7
    cpe:2.3:a:samba:samba:3.6.7
  • Samba 3.6.8
    cpe:2.3:a:samba:samba:3.6.8
  • Samba 3.6.9
    cpe:2.3:a:samba:samba:3.6.9
  • Samba 3.6.10
    cpe:2.3:a:samba:samba:3.6.10
  • Samba 3.6.11
    cpe:2.3:a:samba:samba:3.6.11
  • Samba 3.6.12
    cpe:2.3:a:samba:samba:3.6.12
  • Samba 3.6.13
    cpe:2.3:a:samba:samba:3.6.13
  • Samba 3.6.14
    cpe:2.3:a:samba:samba:3.6.14
  • Samba 3.6.15
    cpe:2.3:a:samba:samba:3.6.15
  • Samba 3.6.16
    cpe:2.3:a:samba:samba:3.6.16
  • Samba 3.6.17
    cpe:2.3:a:samba:samba:3.6.17
  • Samba 3.6.18
    cpe:2.3:a:samba:samba:3.6.18
  • Samba 3.6.19
    cpe:2.3:a:samba:samba:3.6.19
  • Samba 3.6.20
    cpe:2.3:a:samba:samba:3.6.20
  • Samba 3.6.21
    cpe:2.3:a:samba:samba:3.6.21
  • Samba 3.6.22
    cpe:2.3:a:samba:samba:3.6.22
  • Samba 3.6.23
    cpe:2.3:a:samba:samba:3.6.23
  • Samba 3.6.24
    cpe:2.3:a:samba:samba:3.6.24
  • Samba 3.6.25
    cpe:2.3:a:samba:samba:3.6.25
  • Samba 4.0.0
    cpe:2.3:a:samba:samba:4.0.0
  • Samba 4.0.1
    cpe:2.3:a:samba:samba:4.0.1
  • Samba 4.0.2
    cpe:2.3:a:samba:samba:4.0.2
  • Samba 4.0.3
    cpe:2.3:a:samba:samba:4.0.3
  • Samba 4.0.4
    cpe:2.3:a:samba:samba:4.0.4
  • Samba 4.0.5
    cpe:2.3:a:samba:samba:4.0.5
  • Samba 4.0.6
    cpe:2.3:a:samba:samba:4.0.6
  • Samba 4.0.7
    cpe:2.3:a:samba:samba:4.0.7
  • Samba 4.0.8
    cpe:2.3:a:samba:samba:4.0.8
  • Samba 4.0.9
    cpe:2.3:a:samba:samba:4.0.9
  • Samba 4.0.10
    cpe:2.3:a:samba:samba:4.0.10
  • Samba 4.0.11
    cpe:2.3:a:samba:samba:4.0.11
  • Samba 4.0.12
    cpe:2.3:a:samba:samba:4.0.12
  • Samba 4.0.13
    cpe:2.3:a:samba:samba:4.0.13
  • Samba 4.0.14
    cpe:2.3:a:samba:samba:4.0.14
  • Samba 4.0.15
    cpe:2.3:a:samba:samba:4.0.15
  • Samba 4.0.16
    cpe:2.3:a:samba:samba:4.0.16
  • Samba 4.0.17
    cpe:2.3:a:samba:samba:4.0.17
  • Samba 4.0.18
    cpe:2.3:a:samba:samba:4.0.18
  • Samba 4.0.19
    cpe:2.3:a:samba:samba:4.0.19
  • Samba 4.0.20
    cpe:2.3:a:samba:samba:4.0.20
  • Samba 4.0.21
    cpe:2.3:a:samba:samba:4.0.21
  • Samba 4.0.22
    cpe:2.3:a:samba:samba:4.0.22
  • Samba 4.0.23
    cpe:2.3:a:samba:samba:4.0.23
  • Samba 4.0.24
    cpe:2.3:a:samba:samba:4.0.24
  • Samba 4.0.25
    cpe:2.3:a:samba:samba:4.0.25
  • Samba 4.0.26
    cpe:2.3:a:samba:samba:4.0.26
  • Samba 4.1.0
    cpe:2.3:a:samba:samba:4.1.0
  • Samba 4.1.1
    cpe:2.3:a:samba:samba:4.1.1
  • Samba 4.1.2
    cpe:2.3:a:samba:samba:4.1.2
  • Samba 4.1.3
    cpe:2.3:a:samba:samba:4.1.3
  • Samba 4.1.4
    cpe:2.3:a:samba:samba:4.1.4
  • Samba 4.1.5
    cpe:2.3:a:samba:samba:4.1.5
  • Samba 4.1.6
    cpe:2.3:a:samba:samba:4.1.6
  • Samba 4.1.7
    cpe:2.3:a:samba:samba:4.1.7
  • Samba 4.1.8
    cpe:2.3:a:samba:samba:4.1.8
  • Samba 4.1.9
    cpe:2.3:a:samba:samba:4.1.9
  • Samba 4.1.10
    cpe:2.3:a:samba:samba:4.1.10
  • Samba 4.1.11
    cpe:2.3:a:samba:samba:4.1.11
  • Samba 4.1.12
    cpe:2.3:a:samba:samba:4.1.12
  • Samba 4.1.13
    cpe:2.3:a:samba:samba:4.1.13
  • Samba 4.1.14
    cpe:2.3:a:samba:samba:4.1.14
  • Samba 4.1.15
    cpe:2.3:a:samba:samba:4.1.15
  • Samba 4.1.16
    cpe:2.3:a:samba:samba:4.1.16
  • Samba 4.1.17
    cpe:2.3:a:samba:samba:4.1.17
  • Samba 4.1.18
    cpe:2.3:a:samba:samba:4.1.18
  • Samba 4.1.19
    cpe:2.3:a:samba:samba:4.1.19
  • Samba 4.1.20
    cpe:2.3:a:samba:samba:4.1.20
  • Samba 4.1.21
    cpe:2.3:a:samba:samba:4.1.21
  • Samba 4.1.22
    cpe:2.3:a:samba:samba:4.1.22
  • Samba 4.1.23
    cpe:2.3:a:samba:samba:4.1.23
  • Samba 4.2.0 release candidate 1
    cpe:2.3:a:samba:samba:4.2.0:rc1
  • Samba 4.2.0 release candidate 2
    cpe:2.3:a:samba:samba:4.2.0:rc2
  • Samba 4.2.0 release candidate 3
    cpe:2.3:a:samba:samba:4.2.0:rc3
  • Samba 4.2.0 release candidate 4
    cpe:2.3:a:samba:samba:4.2.0:rc4
  • Samba 4.2.1
    cpe:2.3:a:samba:samba:4.2.1
  • Samba 4.2.2
    cpe:2.3:a:samba:samba:4.2.2
  • Samba 4.2.3
    cpe:2.3:a:samba:samba:4.2.3
  • Samba 4.2.4
    cpe:2.3:a:samba:samba:4.2.4
  • Samba 4.2.5
    cpe:2.3:a:samba:samba:4.2.5
  • Samba 4.2.6
    cpe:2.3:a:samba:samba:4.2.6
  • Samba 4.2.7
    cpe:2.3:a:samba:samba:4.2.7
  • Samba 4.2.8
    cpe:2.3:a:samba:samba:4.2.8
  • Samba 4.2.9
    cpe:2.3:a:samba:samba:4.2.9
  • Samba 4.2.10
    cpe:2.3:a:samba:samba:4.2.10
  • Samba 4.2.11
    cpe:2.3:a:samba:samba:4.2.11
  • Samba 4.2.12
    cpe:2.3:a:samba:samba:4.2.12
  • Samba 4.2.13
    cpe:2.3:a:samba:samba:4.2.13
  • Samba 4.2.14
    cpe:2.3:a:samba:samba:4.2.14
  • Samba 4.3.0
    cpe:2.3:a:samba:samba:4.3.0
  • Samba 4.3.1
    cpe:2.3:a:samba:samba:4.3.1
  • Samba 4.3.2
    cpe:2.3:a:samba:samba:4.3.2
  • Samba 4.3.3
    cpe:2.3:a:samba:samba:4.3.3
  • Samba 4.3.4
    cpe:2.3:a:samba:samba:4.3.4
  • Samba 4.3.5
    cpe:2.3:a:samba:samba:4.3.5
  • Samba 4.3.6
    cpe:2.3:a:samba:samba:4.3.6
  • Samba 4.3.7
    cpe:2.3:a:samba:samba:4.3.7
  • Samba 4.3.8
    cpe:2.3:a:samba:samba:4.3.8
  • Samba 4.3.9
    cpe:2.3:a:samba:samba:4.3.9
  • Samba 4.3.10
    cpe:2.3:a:samba:samba:4.3.10
  • Samba 4.3.11
    cpe:2.3:a:samba:samba:4.3.11
  • Samba 4.4.0 Release Candidate 1
    cpe:2.3:a:samba:samba:4.4.0:rc1
  • Samba 4.4.0 Release Candidate 2
    cpe:2.3:a:samba:samba:4.4.0:rc2
  • Samba 4.4.0 Release Candidate 3
    cpe:2.3:a:samba:samba:4.4.0:rc3
  • Samba 4.4.1
    cpe:2.3:a:samba:samba:4.4.1
  • Samba 4.4.2
    cpe:2.3:a:samba:samba:4.4.2
  • Samba 4.4.3
    cpe:2.3:a:samba:samba:4.4.3
  • Samba 4.4.4
    cpe:2.3:a:samba:samba:4.4.4
  • Samba 4.4.5
    cpe:2.3:a:samba:samba:4.4.5
  • Samba 4.4.6
    cpe:2.3:a:samba:samba:4.4.6
  • Samba 4.4.7
    cpe:2.3:a:samba:samba:4.4.7
  • Samba 4.4.8
    cpe:2.3:a:samba:samba:4.4.8
  • Samba 4.4.9
    cpe:2.3:a:samba:samba:4.4.9
  • Samba 4.4.10
    cpe:2.3:a:samba:samba:4.4.10
  • Samba 4.4.11
    cpe:2.3:a:samba:samba:4.4.11
  • Samba 4.4.12
    cpe:2.3:a:samba:samba:4.4.12
  • Samba 4.4.13
    cpe:2.3:a:samba:samba:4.4.13
  • Samba 4.5.0
    cpe:2.3:a:samba:samba:4.5.0
  • Samba 4.5.1
    cpe:2.3:a:samba:samba:4.5.1
  • Samba 4.5.2
    cpe:2.3:a:samba:samba:4.5.2
  • Samba 4.5.3
    cpe:2.3:a:samba:samba:4.5.3
  • Samba 4.5.4
    cpe:2.3:a:samba:samba:4.5.4
  • Samba 4.5.5
    cpe:2.3:a:samba:samba:4.5.5
  • Samba 4.5.6
    cpe:2.3:a:samba:samba:4.5.6
  • Samba 4.5.7
    cpe:2.3:a:samba:samba:4.5.7
  • Samba 4.5.8
    cpe:2.3:a:samba:samba:4.5.8
  • Samba 4.5.9
    cpe:2.3:a:samba:samba:4.5.9
  • Samba 4.6.0
    cpe:2.3:a:samba:samba:4.6.0
  • Samba 4.6.1
    cpe:2.3:a:samba:samba:4.6.1
  • Samba 4.6.2
    cpe:2.3:a:samba:samba:4.6.2
  • Samba 4.6.3
    cpe:2.3:a:samba:samba:4.6.3
  • Samba 4.6.5
    cpe:2.3:a:samba:samba:4.6.5
CVSS
Base: 10.0
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
exploit-db via4
  • description Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit). CVE-2017-7494. Remote exploit for Linux platform. Tags: Metasploit Framework
    file exploits/linux/remote/42084.rb
    id EDB-ID:42084
    last seen 2017-05-30
    modified 2017-05-29
    platform linux
    port
    published 2017-05-29
    reporter Exploit-DB
    source https://www.exploit-db.com/download/42084/
    title Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
    type remote
  • description Samba 3.5.0 - Remote Code Execution. CVE-2017-7494. Remote exploit for Linux platform
    file exploits/linux/remote/42060.py
    id EDB-ID:42060
    last seen 2017-05-25
    modified 2017-05-24
    platform linux
    port
    published 2017-05-24
    reporter Exploit-DB
    source https://www.exploit-db.com/download/42060/
    title Samba 3.5.0 - Remote Code Execution
    type remote
metasploit via4
description This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
id MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME
last seen 2019-03-17
modified 2019-01-10
published 2017-05-25
reliability Excellent
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb
title Samba is_known_pipename() Arbitrary Module Load
nessus via4
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1105.NASL
    description According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125) - A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126) - A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories, in areas of the server file system not exported under the share definitions. (CVE-2017-2619) - A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 100698
    published 2017-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100698
    title EulerOS 2.0 SP2 : samba (EulerOS-SA-2017-1105)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-834.NASL
    description A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494) It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125) A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126) A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories, in areas of the server file system not exported under the share definitions. (CVE-2017-2619)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 100554
    published 2017-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100554
    title Amazon Linux AMI : samba (ALAS-2017-834) (SambaCry)
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA_10826.NASL
    description According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 104100
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104100
    title Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3296-2.NASL
    description USN-3296-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that Samba incorrectly handled shared libraries. A remote attacker could use this flaw to upload a shared library to a writable share and execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 100412
    published 2017-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100412
    title Ubuntu 12.04 LTS : samba vulnerability (USN-3296-2) (SambaCry)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3296-1.NASL
    description