0240: vulnerability detection method and repair suggestions for remote command execution of full system version of samba

Posted by barello at 2020-03-06

0x01 Preface

During the happy Spring Festival, the security community recently revealed that Samba was found to have a remote command execution vulnerability (cve-2015-0240).

The reason is that an uninitialized pointer usage flaw was found in smbd, the samba daemons. A malicious Samba client is allowed to send a specific Netlogon packet to smbd to obtain the permission to run smbd, while the default permission of smbd is root.

Samba is a free software to implement SMB protocol on Linux and UNIX system, which consists of server and client programs. SMB (Server Messages Block) is a kind of communication protocol for sharing files and printers on the LAN. It provides file and printer sharing services for different computers in the LAN. SMB protocol is a client / server protocol, through which clients can access the shared file system, printers and other resources on the server. By setting "NetBIOS over TCP / IP", samba can not only share resources with LAN hosts, but also with computers around the world.

This vulnerability affects from Samba 3.5.0 to the latest development version 4.2.0 release candidate (RC) 4, and the mainstream GNU / Linux distribution is also affected. The official announcement of red hat confirms that Red Hat Enterprise Linux 5 to 7 are affected; while the samba (3.0. X) of Red Hat Enterprise Linux 4 series is not affected, which is fortunate. (it's estimated that such an old version still exists in schools and operators ~)

At present, major distribution versions such as Debian \ Ubuntu \ RedHat have been fixed, and the attack POC has not been officially released.

0x02 detect whether the vulnerability exists

RedHat Series Check:

Debian \ Ubuntu Series Check:

0x03 temporary repair plan

If it is inconvenient to update the patch because the production environment cannot be directly connected to the Internet or the configuration management is changed, the following temporary repair methods can be adopted:

After finding [global], add the following:

PS: note that this temporary solution is only valid for Samba versions above 4.0.0, but not for versions 3.6. X and earlier.

0x04 online repair scheme

CentOS, red hat, Fedora and other derivative versions (recommended by RHN):

If you use RHEL 5 and samba3x packages:

If you use RHEL 6 and samba4 packages:

After the patch is updated, you need to restart the smbd Daemons

Restart service in RHEL 5 or 6 environment:

Restart service in RHEL 7 environment:

Debian, Ubuntu and other derivative versions:

0x05 offline repair scheme

CentOS 6.5 offline patch repair scheme:

First check which related packages are installed in the local Samba package

Then, download the corresponding version from aliyuan

Download patch package for background breakpoint

Install locally using yum

Or RPM installation

Red had derivative

0x06 reference source