CVExplained - CVE-2007-2447

Summary and TLDR at the bottom.

CVE-2007–2447 allows remote attackers to run commands via the username parameter in Samba 3.0.0–3.0.25rc3. Below is the POC seen in most scripts.

/=`nohup {payload}`

You can send this text as the username via the “logon” command in smbclient and your payload is executed. (Note: The “=” is not actually required to run this exploit. I am not sure why it is in most POCs.) Interestingly, if you send the username via impacket or another script, the “/” isn’t required! I’ll explain later in this post why that is. Below is a script modified by @Jarvis that shows there is no need for the “/”.

exploitimpacket
Now that we know how to exploit this CVE, let’s dig into how it works!

After a bit of investigation I found two files that are important to look at:

  • source/lib/smbrun.c
  • source/smbd/map_username.c

Looking into map_username.c we find this little blob of code.


From this we can see that the username we send is combined with the script that is set in the smb.conf file to give us a string such as

/etc/samba/script/usermap.sh “Jimmy”

That string is then sent to the smbrun function. Taking a quick peek at the smbrun function reveals that it has been turned into a wrapper for a new smbrun_internal function with a hard coded parameter.

Taking a peek at the smbrun_internal function we find that the hardcoded parameter in smbrun is the sanitize parameter! We also see that previously, the smbrun function sent unsanitized data to the execl function.

This is the root cause of our vulnerability. A normal logon request would look like this to execl:

/bin/sh sh -c /etc/samba/scripts/mapscript.sh “Jimmy”

However if we were to inject the username with our exploit this is what would be passed to execl:

/bin/sh sh -c /etc/samba/scripts/mapscript.sh “`nohup {payload}`”

Cool! So a relatively simple exploit. We abuse backticks in unsanitized text that is passed to sh to gain command execution. But what happened to the forward slash? Long story short, the “/” acts as a delimiter for the domain field in smbclient. Below is a side by side comparison of an attempt to run this exploit with and without the “/” (Left without the “/”, right with the “/”)

Summary/TLDR
CVE-2007–2447 is a remote command injection vulnerability in the username parameter of Samba 3.0.0–3.0.25rc3 caused by a lack of input sanitization. The reason for the “/” character in the exploit is to separate the domain field and the username field in smbclient. I do not know the reason for the “=” character in most POCs.

Credits
@Jarvis - Modified impacket script to exploit CVE-2007-2447
Amriunix - Helped me understand why the “/” was needed and also let me know that the “=” wasn’t required.

This is my first “writeup” of sorts, I appreciate any and all feedback! Hopefully you learned something :slight_smile:

6 Likes

great write-up, @nikkiofthenet!

I have been trying to drive home the importance of sources and sinks to folks. This is another example of a less-than-immediately-obvious source that finds its way into a sink - with potentially catastrophic results.

source = username
sink = execl
the path is debatable, but I contest it all starts with the function pstr_sprintf just accepting ‘any’ user input

.
.

LiveOverflow did a video on sources and sinks: https://www.youtube.com/watch?v=ZaOtY4i5w_U
I strongly encourage checking out his YouTube channel - see below disclosure

**full disclosure, I get absolutely no kickback. his binary hacking / RE playlist is what got me into exploit dev without being totally lost. if he was able to explain it so that I could understand it, ANYONE can understand it

1 Like