Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: New Samba remote root vuln (CVE-2012-1182) script idea
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Tue, 17 Apr 2012 22:20:51 +0200

Hi all,

I've written a detection script for this vulnerability using the method I
described earlier.
I've attached a patch for msrpc.lua to add GetAliasMembership function used
in the exploit.
If you check the source, you'll notice that I didn't do any marshalling,
and I'm building the
packet myself. I'm not sure this is the right way to use the library, so
any suggestion on
how to improve that part.

The script it self is very simple and if basically ZDI's PoC rewritten into
Lua.
I've tested this on vulnerable samba on fedora and fully patched ubuntu.
I'd welcome any comments on improving this. Also , feel free to change the
name of the script, as I'm not sure what the convention is.

Regards,
Aleksandar


On Sat, Apr 14, 2012 at 1:21 AM, Paulino Calderon
<paulino () calderonpale com>wrote:

Hi list,
Here is the other set of reproducers I managed to download.
The detection method proposed by Aleksandar sounds correct, if the
instance is vulnerable, the active connection dies. Otherwise, the response
varies according to the version but the connection is not closed.

Cheers.


On 04/13/2012 02:28 PM, Fyodor wrote:

On Wed, Apr 11, 2012 at 12:02:48AM -0700, Fyodor wrote:

Announcement:
   https://www.samba.org/samba/**security/CVE-2012-1182<https://www.samba.org/samba/security/CVE-2012-1182>
Bugzilla entry, with proof of concept code:
   https://bugzilla.samba.org/**show_bug.cgi?id=8815<https://bugzilla.samba.org/show_bug.cgi?id=8815>

It looks like they decided to remove the "reproducers" for some
reason.  So in case it helps anyone who is working on an NSE script,
here is the reproducer I downloaded on the 11th:

http://nmap.org/tmp/c/cve-**2012-1182/<http://nmap.org/tmp/c/cve-2012-1182/>

There used to be several more reproducers, but I didn't download those
while they were there.

Cheers,
Fyodor
______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: msrpc.patch
Description:

Attachment: samba-vuln-cve-2012-1182.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]